<!DOCTYPE html>
<html lang="en-US">
<head>
	
<style>.async-hide { opacity: 0 !important} </style> <script>(function(a,s,y,n,c,h,i,d,e){s.className+=' '+y;h.start=1*new Date; h.end=i=function(){s.className=s.className.replace(RegExp(' ?'+y),'')}; (a[n]=a[n]||[]).hide=h;setTimeout(function(){i();h.end=null},c);h.timeout=c; })(window,document.documentElement,'async-hide','dataLayer',4000, {'GTM-KC95766':true});</script>

<script>(function(w,d,s,l,i){w[l]=w[l]||[];w[l].push({'gtm.start':
new Date().getTime(),event:'gtm.js'});var f=d.getElementsByTagName(s)[0],
j=d.createElement(s),dl=l!='dataLayer'?'&l='+l:'';j.async=true;j.src=
'https://www.googletagmanager.com/gtm.js?id='+i+dl;f.parentNode.insertBefore(j,f);
})(window,document,'script','dataLayer','GTM-KC95766');</script>





    <meta charset="UTF-8">
    <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    <meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
    <link rel="icon" type="image/png" href="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/fav.png" />
     
    <noscript><img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=128260767783916&ev=PageView&noscript=1" /></noscript> 
     
	<meta name='robots' content='index, follow, max-image-preview:large, max-snippet:-1, max-video-preview:-1' />

	
	<title>Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat</title>
	<meta name="description" content="Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines." />
	<link rel="canonical" href="https://www.intezer.com/blog/research/new-linux-threat-symbiote/" />
	<meta property="og:locale" content="en_US" />
	<meta property="og:type" content="article" />
	<meta property="og:description" content="Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines." />
	<meta property="og:url" content="https://www.intezer.com/blog/research/new-linux-threat-symbiote/" />
	<meta property="og:site_name" content="Intezer" />
	<meta property="article:publisher" content="https://www.facebook.com/IntezerLabs/" />
	<meta property="article:published_time" content="2022-06-09T11:06:00+00:00" />
	<meta property="article:modified_time" content="2022-06-09T15:58:56+00:00" />
	<meta property="og:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png" />
	<meta property="og:image:width" content="1024" />
	<meta property="og:image:height" content="475" />
	<meta property="og:image:type" content="image/png" />
	<meta name="twitter:card" content="summary_large_image" />
	<meta name="twitter:title" content="Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat" />
	<meta name="twitter:description" content="Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines." />
	<meta name="twitter:image" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png" />
	<meta name="twitter:creator" content="@IntezerLabs" />
	<meta name="twitter:site" content="@IntezerLabs" />
	<meta name="twitter:label1" content="Written by" />
	<meta name="twitter:data1" content="Joakim Kennedy" />
	<meta name="twitter:label2" content="Est. reading time" />
	<meta name="twitter:data2" content="16 minutes" />
	<script type="application/ld+json" class="yoast-schema-graph">{"@context":"https://schema.org","@graph":[{"@type":"Organization","@id":"https://www.intezer.com/#organization","name":"Intezer","url":"https://www.intezer.com/","sameAs":["https://www.linkedin.com/company/intezer-labs/","https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ","https://www.facebook.com/IntezerLabs/","https://twitter.com/IntezerLabs"],"logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/logo/image/","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1.png","width":512,"height":512,"caption":"Intezer"},"image":{"@id":"https://www.intezer.com/#/schema/logo/image/"}},{"@type":"WebSite","@id":"https://www.intezer.com/#website","url":"https://www.intezer.com/","name":"Intezer","description":"","publisher":{"@id":"https://www.intezer.com/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https://www.intezer.com/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#primaryimage","url":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png","contentUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png","width":1024,"height":475,"caption":"symbiote linux threat intezer"},{"@type":"WebPage","@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#webpage","url":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/","name":"Symbiote: A New, Nearly-Impossible-to-Detect Linux Threat","isPartOf":{"@id":"https://www.intezer.com/#website"},"primaryImageOfPage":{"@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#primaryimage"},"datePublished":"2022-06-09T11:06:00+00:00","dateModified":"2022-06-09T15:58:56+00:00","description":"Symbiote is a new Linux® malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines.","breadcrumb":{"@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https://www.intezer.com/blog/research/new-linux-threat-symbiote/"]}]},{"@type":"BreadcrumbList","@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https://www.intezer.com/"},{"@type":"ListItem","position":2,"name":"Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat"}]},{"@type":"Article","@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#article","isPartOf":{"@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#webpage"},"author":{"@id":"https://www.intezer.com/#/schema/person/9a754c27bb88ce12f115df9ec624893d"},"headline":"Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat","datePublished":"2022-06-09T11:06:00+00:00","dateModified":"2022-06-09T15:58:56+00:00","mainEntityOfPage":{"@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#webpage"},"wordCount":2900,"publisher":{"@id":"https://www.intezer.com/#organization"},"image":{"@id":"https://www.intezer.com/blog/research/new-linux-threat-symbiote/#primaryimage"},"thumbnailUrl":"https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png","keywords":["Linux","Linux Malware","Linux threats","Symbiote"],"articleSection":["Research"],"inLanguage":"en-US"},{"@type":"Person","@id":"https://www.intezer.com/#/schema/person/9a754c27bb88ce12f115df9ec624893d","name":"Joakim Kennedy","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https://www.intezer.com/#/schema/person/image/","url":"https://secure.gravatar.com/avatar/3b08f77795dc58f3477c625488d96bef?s=96&d=mm&r=g","contentUrl":"https://secure.gravatar.com/avatar/3b08f77795dc58f3477c625488d96bef?s=96&d=mm&r=g","caption":"Joakim Kennedy"},"url":"https://www.intezer.com/author/jkennedy/"}]}</script>
	


<link rel='dns-prefetch' href='//static.addtoany.com' />
<link rel='dns-prefetch' href='//js.hs-scripts.com' />
<link rel='dns-prefetch' href='//www.google.com' />
<link rel='dns-prefetch' href='//c0.wp.com' />
<link href='https://fonts.gstatic.com' crossorigin rel='preconnect' />
<link rel="alternate" type="application/rss+xml" title="Intezer &raquo; Feed" href="https://www.intezer.com/feed/" />
<link rel='stylesheet' id='wp-block-library-css'  href='https://c0.wp.com/c/6.0/wp-includes/css/dist/block-library/style.min.css' media='all' />
<style id='wp-block-library-inline-css' type='text/css'>
.has-text-align-justify{text-align:justify;}
</style>
<link rel='stylesheet' id='prismatic-blocks-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/css/styles-blocks.css?ver=c2b020b0b2420704e18668efee690c6f' media='all' />
<link rel='stylesheet' id='mediaelement-css'  href='https://c0.wp.com/c/6.0/wp-includes/js/mediaelement/mediaelementplayer-legacy.min.css' media='all' />
<link rel='stylesheet' id='wp-mediaelement-css'  href='https://c0.wp.com/c/6.0/wp-includes/js/mediaelement/wp-mediaelement.min.css' media='all' />
<style id='global-styles-inline-css' type='text/css'>
body{--wp--preset--color--black: #000000;--wp--preset--color--cyan-bluish-gray: #abb8c3;--wp--preset--color--white: #ffffff;--wp--preset--color--pale-pink: #f78da7;--wp--preset--color--vivid-red: #cf2e2e;--wp--preset--color--luminous-vivid-orange: #ff6900;--wp--preset--color--luminous-vivid-amber: #fcb900;--wp--preset--color--light-green-cyan: #7bdcb5;--wp--preset--color--vivid-green-cyan: #00d084;--wp--preset--color--pale-cyan-blue: #8ed1fc;--wp--preset--color--vivid-cyan-blue: #0693e3;--wp--preset--color--vivid-purple: #9b51e0;--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%);--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan: linear-gradient(135deg,rgb(122,220,180) 0%,rgb(0,208,130) 100%);--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange: linear-gradient(135deg,rgba(252,185,0,1) 0%,rgba(255,105,0,1) 100%);--wp--preset--gradient--luminous-vivid-orange-to-vivid-red: linear-gradient(135deg,rgba(255,105,0,1) 0%,rgb(207,46,46) 100%);--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray: linear-gradient(135deg,rgb(238,238,238) 0%,rgb(169,184,195) 100%);--wp--preset--gradient--cool-to-warm-spectrum: linear-gradient(135deg,rgb(74,234,220) 0%,rgb(151,120,209) 20%,rgb(207,42,186) 40%,rgb(238,44,130) 60%,rgb(251,105,98) 80%,rgb(254,248,76) 100%);--wp--preset--gradient--blush-light-purple: linear-gradient(135deg,rgb(255,206,236) 0%,rgb(152,150,240) 100%);--wp--preset--gradient--blush-bordeaux: linear-gradient(135deg,rgb(254,205,165) 0%,rgb(254,45,45) 50%,rgb(107,0,62) 100%);--wp--preset--gradient--luminous-dusk: linear-gradient(135deg,rgb(255,203,112) 0%,rgb(199,81,192) 50%,rgb(65,88,208) 100%);--wp--preset--gradient--pale-ocean: linear-gradient(135deg,rgb(255,245,203) 0%,rgb(182,227,212) 50%,rgb(51,167,181) 100%);--wp--preset--gradient--electric-grass: linear-gradient(135deg,rgb(202,248,128) 0%,rgb(113,206,126) 100%);--wp--preset--gradient--midnight: linear-gradient(135deg,rgb(2,3,129) 0%,rgb(40,116,252) 100%);--wp--preset--duotone--dark-grayscale: url('#wp-duotone-dark-grayscale');--wp--preset--duotone--grayscale: url('#wp-duotone-grayscale');--wp--preset--duotone--purple-yellow: url('#wp-duotone-purple-yellow');--wp--preset--duotone--blue-red: url('#wp-duotone-blue-red');--wp--preset--duotone--midnight: url('#wp-duotone-midnight');--wp--preset--duotone--magenta-yellow: url('#wp-duotone-magenta-yellow');--wp--preset--duotone--purple-green: url('#wp-duotone-purple-green');--wp--preset--duotone--blue-orange: url('#wp-duotone-blue-orange');--wp--preset--font-size--small: 13px;--wp--preset--font-size--medium: 20px;--wp--preset--font-size--large: 36px;--wp--preset--font-size--x-large: 42px;}.has-black-color{color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-color{color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-color{color: var(--wp--preset--color--white) !important;}.has-pale-pink-color{color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-color{color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-color{color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-color{color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-color{color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-color{color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-color{color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-color{color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-color{color: var(--wp--preset--color--vivid-purple) !important;}.has-black-background-color{background-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-background-color{background-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-background-color{background-color: var(--wp--preset--color--white) !important;}.has-pale-pink-background-color{background-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-background-color{background-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-background-color{background-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-background-color{background-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-background-color{background-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-background-color{background-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-background-color{background-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-background-color{background-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-background-color{background-color: var(--wp--preset--color--vivid-purple) !important;}.has-black-border-color{border-color: var(--wp--preset--color--black) !important;}.has-cyan-bluish-gray-border-color{border-color: var(--wp--preset--color--cyan-bluish-gray) !important;}.has-white-border-color{border-color: var(--wp--preset--color--white) !important;}.has-pale-pink-border-color{border-color: var(--wp--preset--color--pale-pink) !important;}.has-vivid-red-border-color{border-color: var(--wp--preset--color--vivid-red) !important;}.has-luminous-vivid-orange-border-color{border-color: var(--wp--preset--color--luminous-vivid-orange) !important;}.has-luminous-vivid-amber-border-color{border-color: var(--wp--preset--color--luminous-vivid-amber) !important;}.has-light-green-cyan-border-color{border-color: var(--wp--preset--color--light-green-cyan) !important;}.has-vivid-green-cyan-border-color{border-color: var(--wp--preset--color--vivid-green-cyan) !important;}.has-pale-cyan-blue-border-color{border-color: var(--wp--preset--color--pale-cyan-blue) !important;}.has-vivid-cyan-blue-border-color{border-color: var(--wp--preset--color--vivid-cyan-blue) !important;}.has-vivid-purple-border-color{border-color: var(--wp--preset--color--vivid-purple) !important;}.has-vivid-cyan-blue-to-vivid-purple-gradient-background{background: var(--wp--preset--gradient--vivid-cyan-blue-to-vivid-purple) !important;}.has-light-green-cyan-to-vivid-green-cyan-gradient-background{background: var(--wp--preset--gradient--light-green-cyan-to-vivid-green-cyan) !important;}.has-luminous-vivid-amber-to-luminous-vivid-orange-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-amber-to-luminous-vivid-orange) !important;}.has-luminous-vivid-orange-to-vivid-red-gradient-background{background: var(--wp--preset--gradient--luminous-vivid-orange-to-vivid-red) !important;}.has-very-light-gray-to-cyan-bluish-gray-gradient-background{background: var(--wp--preset--gradient--very-light-gray-to-cyan-bluish-gray) !important;}.has-cool-to-warm-spectrum-gradient-background{background: var(--wp--preset--gradient--cool-to-warm-spectrum) !important;}.has-blush-light-purple-gradient-background{background: var(--wp--preset--gradient--blush-light-purple) !important;}.has-blush-bordeaux-gradient-background{background: var(--wp--preset--gradient--blush-bordeaux) !important;}.has-luminous-dusk-gradient-background{background: var(--wp--preset--gradient--luminous-dusk) !important;}.has-pale-ocean-gradient-background{background: var(--wp--preset--gradient--pale-ocean) !important;}.has-electric-grass-gradient-background{background: var(--wp--preset--gradient--electric-grass) !important;}.has-midnight-gradient-background{background: var(--wp--preset--gradient--midnight) !important;}.has-small-font-size{font-size: var(--wp--preset--font-size--small) !important;}.has-medium-font-size{font-size: var(--wp--preset--font-size--medium) !important;}.has-large-font-size{font-size: var(--wp--preset--font-size--large) !important;}.has-x-large-font-size{font-size: var(--wp--preset--font-size--x-large) !important;}
</style>
<link rel='stylesheet' id='contact-form-7-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/css/styles.css?ver=5.5.6.1' media='all' />
<link rel='stylesheet' id='prismatic-highlight-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/css/default.css?ver=3.1.1' media='all' />
<link rel='stylesheet' id='bootstrap_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/bootstrap.css?ver=c2b020b0b2420704e18668efee690c6f' media='all' />
<link rel='stylesheet' id='fontawesome_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/css/font-awesome.min.css?ver=c2b020b0b2420704e18668efee690c6f' media='all' />
<link rel='stylesheet' id='main_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/style.css?ver=1654946152' media='all' />
<link rel='stylesheet' id='wpdreams-asl-basic-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style.basic.css?ver=4.10' media='all' />
<link rel='stylesheet' id='wpdreams-ajaxsearchlite-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/css/style-curvy-blue.css?ver=4.10' media='all' />
<link rel='stylesheet' id='slb_core-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/css/app.css?ver=2.8.1' media='all' />
<link rel='stylesheet' id='addtoany-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.css?ver=1.16' media='all' />
<link rel='stylesheet' id='cf7cf-style-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/style.css?ver=2.1.5' media='all' />
<link   rel='preload' as='style' data-wpacu-preload-it-async='1' onload="this.onload=null;this.rel='stylesheet'" id='wpacu-preload-jetpack_css-css'  href='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.1-a.1' media='all' />






<link rel="https://api.w.org/" href="https://www.intezer.com/wp-json/" /><link rel="alternate" type="application/json" href="https://www.intezer.com/wp-json/wp/v2/posts/25915" />			
			
			
						
		<style>img#wpstats{display:none}</style>
					<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin />
				<link rel="preload" as="style" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" />
				<link rel="stylesheet" href="//fonts.googleapis.com/css?family=Open+Sans&display=swap" media="all" />
				                <style>
                    
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label {
						font-size: 0px !important;
						color: rgba(0, 0, 0, 0);
					}
					div[id*='ajaxsearchlitesettings'].searchsettings .asl_option_inner label:after {
						font-size: 11px !important;
						position: absolute;
						top: 0;
						left: 0;
						z-index: 1;
					}
					.asl_w_container {
						width: 100%;
						margin: 0px 0px 14px 0px;
					}
					div[id*='ajaxsearchlite'].asl_m {
						width: 100%;
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results div.resdrg span.highlighted {
						font-weight: bold;
						color: rgba(48, 138, 255, 1);
						background-color: rgb(255, 255, 255);
					}
					div[id*='ajaxsearchliteres'].wpdreams_asl_results .results div.asl_image {
						width: 84px;
						height: 60px;
						background-size: cover;
						background-repeat: no-repeat;
					}
					div.asl_r .results {
						max-height: none;
					}
				
						.asl_m .probox svg {
							fill: rgba(204, 216, 228, 1) !important;
						}
						.asl_m .probox .innericon {
							background-color: rgba(255, 255, 255, 1) !important;
							background-image: none !important;
							-webkit-background-image: none !important;
							-ms-background-image: none !important;
						}
					
						div.asl_m.asl_w {
							border:1px solid rgba(48, 138, 255, 1) !important;border-radius:7px 7px 7px 7px !important;
							box-shadow: none !important;
						}
						div.asl_m.asl_w .probox {border: none !important;}
					
						div.asl_r.asl_w.vertical .results .item::after {
							display: block;
							position: absolute;
							bottom: 0;
							content: '';
							height: 1px;
							width: 100%;
							background: #D8D8D8;
						}
						div.asl_r.asl_w.vertical .results .item.asl_last_item::after {
							display: none;
						}
					 div.asl_m.asl_w {
    margin: auto;
    max-width: 820px;
}
div.asl_w .probox .promagnifier {
    order: 1;
}
div.asl_r .results .item .asl_content h3, div.asl_r .results .item .asl_content h3 a {
    font-weight: 600;
    color: #233b52;
}

div.asl_r .results .item .asl_content h3 a:hover {
    font-weight: 600;
    color: #233b52;
}

.wpdreams_asl_results .results div.asl_image {
    border-radius: 7px;
}

p.asl_desc {
    color: #849eb5;
}
span.asl_nores_header {
    font-size: 14px;
}                </style>
                <link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-32x32.png" sizes="32x32" />
<link rel="icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-192x192.png" sizes="192x192" />
<link rel="apple-touch-icon" href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-180x180.png" />
<meta name="msapplication-TileImage" content="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/cropped-intezer-blue-1-270x270.png" />
<link rel="stylesheet" type="text/css" id="wp-custom-css" href="https://www.intezer.com/?custom-css=6d0455f88d" />



</head>

<body class="post-template-default single single-post postid-25915 single-format-standard wp-custom-logo new-linux-threat-symbiote elementor-default elementor-kit-8921">
<script> (function(ss,ex){ window.ldfdr=window.ldfdr||function(){(ldfdr._q=ldfdr._q||[]).push([].slice.call(arguments));}; (function(d,s){ fs=d.getElementsByTagName(s)[0]; function ce(src){ var cs=d.createElement(s); cs.src=src; cs.async=1; fs.parentNode.insertBefore(cs,fs); }; ce('https://sc.lfeeder.com/lftracker_v1_'+ss+(ex?'_'+ex:'')+'.js'); })(document,'script'); })('YEgkB8lPLLw8ep3Z'); </script>
<script> !function(f,b,e,v,n,t,s){if(f.fbq)return;n=f.fbq=function(){n.callMethod? n.callMethod.apply(n,arguments):n.queue.push(arguments)};if(!f._fbq)f._fbq=n; n.push=n;n.loaded=!0;n.version='2.0';n.queue=[];t=b.createElement(e);t.async=!0; t.src=v;s=b.getElementsByTagName(e)[0];s.parentNode.insertBefore(t,s)}(window, document,'script','https://connect.facebook.net/en_US/fbevents.js'); fbq('init', '128260767783916'); // Insert your pixel ID here. fbq('track', 'PageView'); </script>
<script   type='text/javascript' id='addtoany-core-js-before'>
window.a2a_config=window.a2a_config||{};a2a_config.callbacks=[];a2a_config.overlays=[];a2a_config.templates={};
</script>
<script   type='text/javascript' async src='https://static.addtoany.com/menu/page.js' id='addtoany-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/jquery-3.2.1.min.js?ver=c2b020b0b2420704e18668efee690c6f' id='jquery-js'></script>
<script   data-wpacu-apply-media-query='screen and (min-width: 1024px)' type='text/javascript' async wpacu-addtoany-jquery-src='https://149520725.v2.pressablecdn.com/wp-content/plugins/add-to-any/addtoany.min.js?ver=1.1' id='addtoany-jquery-js'></script>
<script>
function wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var) {
    if (wpacu_addtoany_jquery_match_media_var.matches) {
        var wpacuSrcAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
        document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('src', wpacuSrcAttr); 
    }
}
try { var wpacu_addtoany_jquery_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_addtoany_jquery_match_media(wpacu_addtoany_jquery_match_media_var); wpacu_addtoany_jquery_match_media_var.addListener(wpacu_addtoany_jquery_match_media); }
catch (wpacuError) {
  	var wpacuHrefAttr = document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].getAttribute('wpacu-addtoany-jquery-src');
    document.querySelectorAll("[wpacu-addtoany-jquery-src]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<script type='text/javascript' id='media-video-jwt-bridge-js-extra'>
/* <![CDATA[ */
var videopressAjax = {"ajaxUrl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","bridgeUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/jetpack\/modules\/videopress\/js\/videopress-token-bridge.js","post_id":"25915"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/modules/videopress/js/videopress-token-bridge.js?ver=6' id='media-video-jwt-bridge-js'></script>
<script type="text/javascript">
				var _hsq = _hsq || [];
				_hsq.push(["setContentId", "blog-post"]);
			</script>
<script>
				(function() {
					var hbspt = window.hbspt = window.hbspt || {};
					hbspt.forms = hbspt.forms || {};
					hbspt._wpFormsQueue = [];
					hbspt.enqueueForm = function(formDef) {
						if (hbspt.forms && hbspt.forms.create) {
							hbspt.forms.create(formDef);
						} else {
							hbspt._wpFormsQueue.push(formDef);
						}
					};
					if (!window.hbspt.forms.create) {
						Object.defineProperty(window.hbspt.forms, 'create', {
							configurable: true,
							get: function() {
								return hbspt._wpCreateForm;
							},
							set: function(value) {
								hbspt._wpCreateForm = value;
								while (hbspt._wpFormsQueue.length) {
									var formDef = hbspt._wpFormsQueue.shift();
									if (!document.currentScript) {
										var formScriptId = 'leadin-forms-v2-js';
										hubspot.utils.currentScript = document.getElementById(formScriptId);
									}
									hbspt._wpCreateForm.call(hbspt.forms, formDef);
								}
							},
						});
					}
				})();
			</script>
<script id="wpacu-preload-async-css-fallback">
/*! LoadCSS. [c]2020 Filament Group, Inc. MIT License */
/* This file is meant as a standalone workflow for
- testing support for link[rel=preload]
- enabling async CSS loading in browsers that do not support rel=preload
- applying rel preload css once loaded, whether supported or not.
*/
(function(w){"use strict";var wpacuLoadCSS=function(href,before,media,attributes){var doc=w.document;var ss=doc.createElement('link');var ref;if(before){ref=before}else{var refs=(doc.body||doc.getElementsByTagName('head')[0]).childNodes;ref=refs[refs.length-1]}
var sheets=doc.styleSheets;if(attributes){for(var attributeName in attributes){if(attributes.hasOwnProperty(attributeName)){ss.setAttribute(attributeName,attributes[attributeName])}}}
ss.rel="stylesheet";ss.href=href;ss.media="only x";function ready(cb){if(doc.body){return cb()}
setTimeout(function(){ready(cb)})}
ready(function(){ref.parentNode.insertBefore(ss,(before?ref:ref.nextSibling))});var onwpaculoadcssdefined=function(cb){var resolvedHref=ss.href;var i=sheets.length;while(i--){if(sheets[i].href===resolvedHref){return cb()}}
setTimeout(function(){onwpaculoadcssdefined(cb)})};function loadCB(){if(ss.addEventListener){ss.removeEventListener("load",loadCB)}
ss.media=media||"all"}
if(ss.addEventListener){ss.addEventListener("load",loadCB)}
ss.onwpaculoadcssdefined=onwpaculoadcssdefined;onwpaculoadcssdefined(loadCB);return ss};if(typeof exports!=="undefined"){exports.wpacuLoadCSS=wpacuLoadCSS}else{w.wpacuLoadCSS=wpacuLoadCSS}}(typeof global!=="undefined"?global:this))
</script>
<script async src="https://www.googletagmanager.com/gtag/js?id=AW-725468766"></script>
<script>
  window.dataLayer = window.dataLayer || [];
  function gtag(){dataLayer.push(arguments);}
  gtag('js', new Date());

  gtag('config', 'AW-725468766');
</script>


<noscript><iframe src="https://www.googletagmanager.com/ns.html?id=GTM-KC95766"
height="0" width="0" style="display:none;visibility:hidden"></iframe></noscript>

    <div class="background-pop"></div>
    <header id="header">
        <nav class="navbar navbar-toggleable-sm navbar-inverse bg-faded fixed-top" id="main-menu">
                <button class="navbar-toggler navbar-toggler-right" type="button" data-toggle="collapse"
                        data-target="#top-navbar" aria-controls="top-navbar" aria-expanded="false"
                        aria-label="Toggle navigation">
                    <span class="navbar-toggler-icon"></span>
                </button>
                <a class="navbar-brand" href="https://www.intezer.com/">
                    <a class="logo-link" href="https://www.intezer.com"><img class="logo-img" width="100" height="25" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/05/intezer-logo-n.png" alt="intezer"></a>                </a>
                <div class="collapse navbar-collapse" id="top-navbar">
                    <ul id="menu-top-menu" class="navbar-nav ml-auto"><li id="menu-item-13604" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-13604 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Product</a></li>
<li id="menu-item-131" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-131 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15962" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15962 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-1368" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-1368 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15894" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15894 nav-item"><a class="nav-link" target="_blank" href="https://support.intezer.com/hc/en-us/categories/360002970919-Intezer-Analyze-Malware-Analysis-Platform">Docs</a></li>
</ul>
</li>
<li id="menu-item-20994" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20994 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-70" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-70 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-114" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-114 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-3061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-3061 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7096" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7096 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-8417" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8417 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
<li id="menu-item-22200" class="desktop-login menu-item menu-item-type-custom menu-item-object-custom menu-item-22200 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/sign-in/?utm_campaign=login-btn&#038;utm_source=intezer">Log in</a></li>
<li id="menu-item-1028" class="try-now desktop-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-1028 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
<li id="menu-item-5106" class="try-now mobile-cta menu-item menu-item-type-custom menu-item-object-custom menu-item-5106 nav-item"><a class="nav-link" target="_blank" href="https://analyze.intezer.com/"><span class="glyphicon Start Now for Free"></span>&nbsp;Start Now for Free</a></li>
</ul>                  
                </div>

        </nav>
 		<section data-elementor-type="section" data-elementor-id="16929" class="elementor elementor-16929">
					<div class="elementor-section-wrap">
								<section class="elementor-section elementor-top-section elementor-element elementor-element-d8295c2 elementor-hidden-tablet elementor-hidden-mobile elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="d8295c2" data-element_type="section" id="analyze-pop" data-settings="{&quot;background_background&quot;:&quot;classic&quot;}">
						<div class="elementor-container elementor-column-gap-wide">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-1195e9a" data-id="1195e9a" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<section class="elementor-section elementor-inner-section elementor-element elementor-element-a9b9c3b elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="a9b9c3b" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-ebed2f0" data-id="ebed2f0" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-dd715e2 elementor-widget elementor-widget-image" data-id="dd715e2" data-element_type="widget" data-widget_type="image.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.5 - 27-04-2022 */
.elementor-widget-image{text-align:center}.elementor-widget-image a{display:inline-block}.elementor-widget-image a img[src$=".svg"]{width:48px}.elementor-widget-image img{vertical-align:middle;display:inline-block}</style>					<div class="elementor-image">
													<a href="https://www.intezer.com/intezer-analyze/">
							<img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/thumbs/logo-analize-logo-trans-ozsmvqchu4xq3efimwjdhr1x8rgjihbqxejnle9j9u.png" title="logo-analize-logo-trans" alt="Intezer Analyze" />								</a>
														</div>
						</div>
				</div>
				<div class="elementor-element elementor-element-43be782 elementor-widget elementor-widget-heading" data-id="43be782" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.5 - 27-04-2022 */
.elementor-heading-title{padding:0;margin:0;line-height:1}.elementor-widget-heading .elementor-heading-title[class*=elementor-size-]>a{color:inherit;font-size:inherit;line-height:inherit}.elementor-widget-heading .elementor-heading-title.elementor-size-small{font-size:15px}.elementor-widget-heading .elementor-heading-title.elementor-size-medium{font-size:19px}.elementor-widget-heading .elementor-heading-title.elementor-size-large{font-size:29px}.elementor-widget-heading .elementor-heading-title.elementor-size-xl{font-size:39px}.elementor-widget-heading .elementor-heading-title.elementor-size-xxl{font-size:59px}</style><div class="elementor-heading-title elementor-size-default"><b>Autonomous security operations</b><br>Focus your SecOps on unique and real incidents instead of repetitive threats and false positives.</div>		</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-c353d36" data-id="c353d36" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-7706e29 museo500 elementor-widget elementor-widget-heading" data-id="7706e29" data-element_type="widget" data-widget_type="heading.default">
				<div class="elementor-widget-container">
			<div class="elementor-heading-title elementor-size-default">Top Industries</div>		</div>
				</div>
				<div class="elementor-element elementor-element-42b2532 pop-list star-list elementor-widget elementor-widget-text-editor" data-id="42b2532" data-element_type="widget" data-widget_type="text-editor.default">
				<div class="elementor-widget-container">
			<style>/*! elementor - v3.6.5 - 27-04-2022 */
.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}</style>					<div class="elementor-text-editor elementor-clearfix">
				<ul><li>Finance</li><li>Manufacturing</li><li>Telecom</li><li>Government</li><li>Retail</li><li>Energy</li></ul>					</div>
						</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
				<section class="elementor-section elementor-inner-section elementor-element elementor-element-59d8717 elementor-section-content-bottom elementor-section-boxed elementor-section-height-default elementor-section-height-default" data-id="59d8717" data-element_type="section">
						<div class="elementor-container elementor-column-gap-no">
							<div class="elementor-row">
					<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-d1caad7" data-id="d1caad7" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-8616ac1 elementor-align-left elementor-mobile-align-center elementor-widget elementor-widget-button" data-id="8616ac1" data-element_type="widget" id="pop-link" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/intezer-analyze/" class="elementor-button-link elementor-button elementor-size-sm" role="button">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Learn More</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
				<div class="elementor-column elementor-col-50 elementor-inner-column elementor-element elementor-element-565e380" data-id="565e380" data-element_type="column">
			<div class="elementor-column-wrap elementor-element-populated">
							<div class="elementor-widget-wrap">
						<div class="elementor-element elementor-element-d956561 elementor-align-left elementor-mobile-align-center main-menu-button elementor-widget elementor-widget-button" data-id="d956561" data-element_type="widget" data-widget_type="button.default">
				<div class="elementor-widget-container">
					<div class="elementor-button-wrapper">
			<a href="https://www.intezer.com/book-a-demo-analyze/" target="_blank" class="elementor-button-link elementor-button elementor-size-xs" role="button" id="get-started-analyze">
						<span class="elementor-button-content-wrapper">
						<span class="elementor-button-text">Get a Demo</span>
		</span>
					</a>
		</div>
				</div>
				</div>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
						</div>
					</div>
		</div>
								</div>
					</div>
		</section>
							</div>
				</section>
		    </header>
<div class="popup"><div role="form" class="wpcf7" id="wpcf7-f468-o1" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/new-linux-threat-symbiote/#wpcf7-f468-o1" method="post" class="wpcf7-form init clearfix" novalidate="novalidate" data-status="init" id="request-demo-form">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="468" />
<input type="hidden" name="_wpcf7_version" value="5.5.6.1" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f468-o1" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:468,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div class="cf-field cf-field-left cf-fname">
<span class="cf-label">First Name</span><br />
<span class="wpcf7-form-control-wrap FirstName"><input type="text" name="FirstName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-lname">
<span class="cf-label">Last Name</span><br />
<span class="wpcf7-form-control-wrap LastName"><input type="text" name="LastName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="cf-label">Job Title</span><br />
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-company">
<span class="cf-label">Company</span><br />
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Email</span><br />
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" /></span>
</div>
<div class="cf-field">
<span class="cf-label">Country</span><br />
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value=""></option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova">Moldova</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania">Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Vietnam">Vietnam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<div class="cf-field cf-field-left">
<span class="cf-label">Phone</span><br />
<span class="wpcf7-form-control-wrap mx_phone"><input type="tel" name="mx_phone" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-tel wpcf7-validates-as-required wpcf7-validates-as-tel w-98" aria-required="true" aria-invalid="false" /></span>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-field">
<input type="submit" value="Submit" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<p><script>
document.addEventListener( 'wpcf7mailsent', function( event ) {
 window.dataLayer.push({
 "event" : "request-submission",
 "formId" : event.detail.contactFormId,
 "response" : event.detail.inputs
 })
}); 
</script></p>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div></div>



<script type="application/ld+json">
{
  "@context": "https://schema.org",
  "@type": "Article",
  "mainEntityOfPage": {
    "@type": "WebPage",
    "@id": "https://www.intezer.com/blog/research/new-linux-threat-symbiote/"
  },
  "headline": "Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat",
  "image": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png",  
  "author": {
    "@type": "Organization",
    "name": "Intezer"
  },  
  "publisher": {
    "@type": "Organization",
    "name": "Intezer",
    "logo": {
      "@type": "ImageObject",
      "url": "https://149520725.v2.pressablecdn.com/wp-content/uploads/2019/02/Round-Logo-60x60.jpg",
      "width": 50,
      "height": 50
    }
  },
  "datePublished": "2022-06-09"
}
</script>





	<div id="primary" class="content-area">
	    <div class="container">
		    <div class="single-post-page">
				<h1 class="entry-title t-dianne">Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat</h1><div class="row top-meta"><div class="col-md-12"><div class="author-box clearfix"><div class="user-bio"><span class="author-light">Written by </span><a href="https://www.intezer.com/author/jkennedy/" title="Posts by Joakim Kennedy" class="author url fn" rel="author">Joakim Kennedy</a> and <a href="https://www.intezer.com/author/blackberry/" title="Posts by The BlackBerry Threat Research &#038; Intelligence Team" class="author url fn" rel="author">The BlackBerry Threat Research &#038; Intelligence Team</a><span class="author-date"> - 9 June 2022</span></div></div></div><div class="main-blog-image"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png" class="featured-img"></div></div><div class="row blog-cont"><div class="col-md-2 blog-side"><div class="blog-side-subscribe"><div role="form" class="wpcf7" id="wpcf7-f25657-o2" lang="en-US" dir="ltr">
<div class="screen-reader-response"><p role="status" aria-live="polite" aria-atomic="true"></p> <ul></ul></div>
<form action="/blog/research/new-linux-threat-symbiote/#wpcf7-f25657-o2" method="post" class="wpcf7-form init" novalidate="novalidate" data-status="init">
<div style="display: none;">
<input type="hidden" name="_wpcf7" value="25657" />
<input type="hidden" name="_wpcf7_version" value="5.5.6.1" />
<input type="hidden" name="_wpcf7_locale" value="en_US" />
<input type="hidden" name="_wpcf7_unit_tag" value="wpcf7-f25657-o2" />
<input type="hidden" name="_wpcf7_container_post" value="0" />
<input type="hidden" name="_wpcf7_posted_data_hash" value="" />
<input type="hidden" name="_wpcf7cf_hidden_group_fields" value="[]" />
<input type="hidden" name="_wpcf7cf_hidden_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_visible_groups" value="[]" />
<input type="hidden" name="_wpcf7cf_repeaters" value="[]" />
<input type="hidden" name="_wpcf7cf_steps" value="{}" />
<input type="hidden" name="_wpcf7cf_options" value="{&quot;form_id&quot;:25657,&quot;conditions&quot;:[{&quot;then_field&quot;:&quot;group-570&quot;,&quot;and_rules&quot;:[{&quot;if_field&quot;:&quot;mx_Country&quot;,&quot;operator&quot;:&quot;equals&quot;,&quot;if_value&quot;:&quot;United States&quot;}]}],&quot;settings&quot;:{&quot;animation&quot;:&quot;yes&quot;,&quot;animation_intime&quot;:200,&quot;animation_outtime&quot;:200,&quot;conditions_ui&quot;:&quot;normal&quot;,&quot;notice_dismissed&quot;:false,&quot;notice_dismissed_rollback-cf7-5.5.3&quot;:true,&quot;notice_dismissed_rollback-cf7-5.5.4&quot;:true}}" />
<input type="hidden" name="_wpcf7_recaptcha_response" value="" />
</div>
<div class="form-header"></div>
<div id ="email-field" class="cf-field cf-field-left">
<span class="wpcf7-form-control-wrap EmailAddress"><input type="email" name="EmailAddress" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-email wpcf7-validates-as-required wpcf7-validates-as-email email" aria-required="true" aria-invalid="false" placeholder="Business Email" /></span>
</div>
<div class="cf-field cf-field-left cf-fname">
<span class="wpcf7-form-control-wrap FullName"><input type="text" name="FullName" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required fname w-98" aria-required="true" aria-invalid="false" placeholder="Full Name" /></span>
</div>
<div class="cf-field cf-company">
<span class="wpcf7-form-control-wrap Company"><input type="text" name="Company" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required company" aria-required="true" aria-invalid="false" placeholder="Company" /></span>
</div>
<div class="cf-field cf-field-left cf-title">
<span class="wpcf7-form-control-wrap JobTitle"><input type="text" name="JobTitle" value="" size="40" class="wpcf7-form-control wpcf7-text wpcf7-validates-as-required w-98" aria-required="true" aria-invalid="false" placeholder="Job Title" /></span>
</div>
<div class="cf-field">
<span class="wpcf7-form-control-wrap mx_Country"><select name="mx_Country" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Country</option><option value="United States">United States</option><option value="Canada">Canada</option><option value="Afghanistan">Afghanistan</option><option value="Albania">Albania</option><option value="Algeria">Algeria</option><option value="Andorra">Andorra</option><option value="Angola">Angola</option><option value="Antigua and Barbuda">Antigua and Barbuda</option><option value="Argentina">Argentina</option><option value="Armenia">Armenia</option><option value="Aruba">Aruba</option><option value="Australia">Australia</option><option value="Austria">Austria</option><option value="Azerbaijan">Azerbaijan</option><option value="Bahamas">Bahamas</option><option value="Bahrain">Bahrain</option><option value="Bangladesh">Bangladesh</option><option value="Barbados">Barbados</option><option value="Belarus">Belarus</option><option value="Belgium">Belgium</option><option value="Belize">Belize</option><option value="Benin">Benin</option><option value="Bermuda">Bermuda</option><option value="Bhutan">Bhutan</option><option value="Bolivia">Bolivia</option><option value="Bosnia and Herzegovina">Bosnia and Herzegovina</option><option value="Botswana">Botswana</option><option value="Brazil">Brazil</option><option value="Brunei">Brunei</option><option value="Bulgaria">Bulgaria</option><option value="Burkina Faso">Burkina Faso</option><option value="Burundi">Burundi</option><option value="Cambodia">Cambodia</option><option value="Cameroon">Cameroon</option><option value="Cape Verde">Cape Verde</option><option value="Cayman Islands">Cayman Islands</option><option value="Central African Republic">Central African Republic</option><option value="Chad">Chad</option><option value="Chile">Chile</option><option value="China">China</option><option value="Colombia">Colombia</option><option value="Comoros">Comoros</option><option value="Democratic Republic of the Congo (Kinshasa)">Democratic Republic of the Congo (Kinshasa)</option><option value="Congo, Republic of(Brazzaville)">Congo, Republic of(Brazzaville)</option><option value="Costa Rica">Costa Rica</option><option value="Croatia">Croatia</option><option value="Cuba">Cuba</option><option value="Cyprus">Cyprus</option><option value="Czechia">Czechia</option><option value="Denmark">Denmark</option><option value="Djibouti">Djibouti</option><option value="Dominica">Dominica</option><option value="Dominican Republic">Dominican Republic</option><option value="East Timor (Timor-Leste)">East Timor (Timor-Leste)</option><option value="Ecuador">Ecuador</option><option value="Egypt">Egypt</option><option value="El Salvador">El Salvador</option><option value="Equatorial Guinea">Equatorial Guinea</option><option value="Eritrea">Eritrea</option><option value="Estonia">Estonia</option><option value="Ethiopia">Ethiopia</option><option value="Fiji">Fiji</option><option value="Finland">Finland</option><option value="France">France</option><option value="Gabon">Gabon</option><option value="Gambia">Gambia</option><option value="Georgia">Georgia</option><option value="Germany">Germany</option><option value="Ghana">Ghana</option><option value="Gibraltar">Gibraltar</option><option value="Greece">Greece</option><option value="Grenada">Grenada</option><option value="Guatemala">Guatemala</option><option value="Guinea">Guinea</option><option value="Guinea-Bissau">Guinea-Bissau</option><option value="Guyana">Guyana</option><option value="Haiti">Haiti</option><option value="Honduras">Honduras</option><option value="Hong Kong">Hong Kong</option><option value="Hungary">Hungary</option><option value="Iceland">Iceland</option><option value="India">India</option><option value="Indonesia">Indonesia</option><option value="Iran, Islamic Republic of">Iran, Islamic Republic of</option><option value="Iraq">Iraq</option><option value="Ireland">Ireland</option><option value="Israel">Israel</option><option value="Italy">Italy</option><option value="Ivory Coast">Ivory Coast</option><option value="Jamaica">Jamaica</option><option value="Japan">Japan</option><option value="Jordan">Jordan</option><option value="Kazakhstan">Kazakhstan</option><option value="Kenya">Kenya</option><option value="Kiribati">Kiribati</option><option value="Korea, Democratic People&#039;s Republic of(North Korea)">Korea, Democratic People&#039;s Republic of(North Korea)</option><option value="Korea, Republic of">Korea, Republic of</option><option value="Kosovo">Kosovo</option><option value="Kuwait">Kuwait</option><option value="Kyrgyzstan">Kyrgyzstan</option><option value="Lao People&#039;s Democratic Republic">Lao People&#039;s Democratic Republic</option><option value="Latvia">Latvia</option><option value="Lebanon">Lebanon</option><option value="Lesotho">Lesotho</option><option value="Liberia">Liberia</option><option value="Libya">Libya</option><option value="Liechtenstein">Liechtenstein</option><option value="Lithuania">Lithuania</option><option value="Luxembourg">Luxembourg</option><option value="Macau">Macau</option><option value="Macedonia, Rep. of">Macedonia, Rep. of</option><option value="Madagascar">Madagascar</option><option value="Malawi">Malawi</option><option value="Malaysia">Malaysia</option><option value="Maldives">Maldives</option><option value="Mali">Mali</option><option value="Malta">Malta</option><option value="Marshall Islands">Marshall Islands</option><option value="Mauritania">Mauritania</option><option value="Mauritius">Mauritius</option><option value="Mexico">Mexico</option><option value="Micronesia, Federal States of">Micronesia, Federal States of</option><option value="Moldova, Republic of">Moldova, Republic of</option><option value="Monaco">Monaco</option><option value="Mongolia">Mongolia</option><option value="Montenegro">Montenegro</option><option value="Morocco">Morocco</option><option value="Mozambique">Mozambique</option><option value="Myanmar, Burma">Myanmar, Burma</option><option value="Namibia">Namibia</option><option value="Nauru">Nauru</option><option value="Nepal">Nepal</option><option value="Netherlands">Netherlands</option><option value="New Caledonia">New Caledonia</option><option value="New Zealand">New Zealand</option><option value="Nicaragua">Nicaragua</option><option value="Niger">Niger</option><option value="Nigeria">Nigeria</option><option value="Norway">Norway</option><option value="Oman">Oman</option><option value="Pakistan">Pakistan</option><option value="Palau">Palau</option><option value="Palestinian territories">Palestinian territories</option><option value="Panama">Panama</option><option value="Papua New Guinea">Papua New Guinea</option><option value="Paraguay">Paraguay</option><option value="Peru">Peru</option><option value="Philippines">Philippines</option><option value="Poland">Poland</option><option value="Portugal">Portugal</option><option value="Puerto Rico">Puerto Rico</option><option value="Qatar">Qatar</option><option value="Romania">Romania</option><option value="Russian Federation">Russian Federation</option><option value="Rwanda">Rwanda</option><option value="Saint Kitts and Nevis">Saint Kitts and Nevis</option><option value="Saint Lucia">Saint Lucia</option><option value="Saint Vincent and the Grenadines">Saint Vincent and the Grenadines</option><option value="Samoa">Samoa</option><option value="San Marino">San Marino</option><option value="Sao Tome and Principe">Sao Tome and Principe</option><option value="Saudi Arabia">Saudi Arabia</option><option value="Senegal">Senegal</option><option value="Serbia">Serbia</option><option value="Seychelles">Seychelles</option><option value="Sierra Leone">Sierra Leone</option><option value="Singapore">Singapore</option><option value="Slovakia">Slovakia</option><option value="Slovenia">Slovenia</option><option value="Solomon Islands">Solomon Islands</option><option value="Somalia">Somalia</option><option value="South Africa">South Africa</option><option value="South Sudan">South Sudan</option><option value="Spain">Spain</option><option value="Sri Lanka">Sri Lanka</option><option value="Sudan">Sudan</option><option value="Suriname">Suriname</option><option value="Swaziland">Swaziland</option><option value="Sweden">Sweden</option><option value="Switzerland">Switzerland</option><option value="Syria, Syrian Arab Republic">Syria, Syrian Arab Republic</option><option value="Taiwan">Taiwan</option><option value="Tajikistan">Tajikistan</option><option value="Tanzania; officially the United Republic of Tanzania">Tanzania; officially the United Republic of Tanzania</option><option value="Thailand">Thailand</option><option value="Tibet">Tibet</option><option value="Togo">Togo</option><option value="Tonga">Tonga</option><option value="Trinidad and Tobago">Trinidad and Tobago</option><option value="Tunisia">Tunisia</option><option value="Turkey">Turkey</option><option value="Turkmenistan">Turkmenistan</option><option value="Tuvalu">Tuvalu</option><option value="Uganda">Uganda</option><option value="Ukraine">Ukraine</option><option value="United Arab Emirates">United Arab Emirates</option><option value="United Kingdom">United Kingdom</option><option value="Uruguay">Uruguay</option><option value="Uzbekistan">Uzbekistan</option><option value="Vanuatu">Vanuatu</option><option value="Vatican City State (Holy See)">Vatican City State (Holy See)</option><option value="Venezuela">Venezuela</option><option value="Viet Nam">Viet Nam</option><option value="Yemen">Yemen</option><option value="Zambia">Zambia</option><option value="Zimbabwe">Zimbabwe</option></select></span></p>
<div data-id="group-570" data-orig_data_id="group-570" data-clear_on_hide data-class="wpcf7cf_group">
 <span class="wpcf7-form-control-wrap mx_State"><select name="mx_State" class="wpcf7-form-control wpcf7-select wpcf7-validates-as-required country" aria-required="true" aria-invalid="false"><option value="">Select State</option><option value="Alabama">Alabama</option><option value="Alaska">Alaska</option><option value="American Samoa">American Samoa</option><option value="Arizona">Arizona</option><option value="Arkansas">Arkansas</option><option value="California">California</option><option value="Colorado">Colorado</option><option value="Connecticut">Connecticut</option><option value="Delaware">Delaware</option><option value="District of Columbia">District of Columbia</option><option value="Florida">Florida</option><option value="Georgia">Georgia</option><option value="Guam">Guam</option><option value="Hawaii">Hawaii</option><option value="Idaho">Idaho</option><option value="Illinois">Illinois</option><option value="Indiana">Indiana</option><option value="Iowa">Iowa</option><option value="Kansas">Kansas</option><option value="Kentucky">Kentucky</option><option value="Louisiana">Louisiana</option><option value="Maine">Maine</option><option value="Maryland">Maryland</option><option value="Massachusetts">Massachusetts</option><option value="Michigan">Michigan</option><option value="Minnesota">Minnesota</option><option value="Mississippi">Mississippi</option><option value="Missouri">Missouri</option><option value="Montana">Montana</option><option value="Nebraska">Nebraska</option><option value="Nevada">Nevada</option><option value="New Hampshire">New Hampshire</option><option value="New Jersey">New Jersey</option><option value="New Mexico">New Mexico</option><option value="New York">New York</option><option value="North Carolina">North Carolina</option><option value="North Dakota">North Dakota</option><option value="Northern Mariana Islands">Northern Mariana Islands</option><option value="Ohio">Ohio</option><option value="Oklahoma">Oklahoma</option><option value="Oregon">Oregon</option><option value="Pennsylvania">Pennsylvania</option><option value="Puerto Rico">Puerto Rico</option><option value="Rhode Island">Rhode Island</option><option value="South Carolina">South Carolina</option><option value="South Dakota">South Dakota</option><option value="Tennessee">Tennessee</option><option value="Texas">Texas</option><option value="United States Minor Outlying Islands">United States Minor Outlying Islands</option><option value="Utah">Utah</option><option value="Vermont">Vermont</option><option value="Virgin Islands">Virgin Islands</option><option value="Virginia">Virginia</option><option value="Washington">Washington</option><option value="West Virginia">West Virginia</option><option value="Wisconsin">Wisconsin</option><option value="Wyoming">Wyoming</option></select></span>
</div>
</div>
<input type="hidden" name="form-title" value="" class="wpcf7-form-control wpcf7-hidden form-title" />
<div class="cf-submit">
<input type="submit" value="Subscribe" class="wpcf7-form-control has-spinner wpcf7-submit btn btn-primary" />
</div>
<div class="wpcf7-response-output" aria-hidden="true"></div></form></div><div class="side-blog-share"">Share article<div class="a2a_kit a2a_kit_size_ addtoany_list" data-a2a-url="https://www.intezer.com/blog/research/new-linux-threat-symbiote/" data-a2a-title="Symbiote Deep-Dive: Analysis of a New, Nearly-Impossible-to-Detect Linux Threat"><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fnew-linux-threat-symbiote%2F&amp;linkname=Symbiote%20Deep-Dive%3A%20Analysis%20of%20a%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat" title="Facebook" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/facebook.png" alt="Facebook"></a><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fnew-linux-threat-symbiote%2F&amp;linkname=Symbiote%20Deep-Dive%3A%20Analysis%20of%20a%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat" title="Twitter" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/twitter.png" alt="Twitter"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fnew-linux-threat-symbiote%2F&amp;linkname=Symbiote%20Deep-Dive%3A%20Analysis%20of%20a%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat" title="LinkedIn" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/linkedin.png" alt="LinkedIn"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fnew-linux-threat-symbiote%2F&amp;linkname=Symbiote%20Deep-Dive%3A%20Analysis%20of%20a%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat" title="Reddit" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/reddit.png" alt="Reddit"></a><a class="a2a_button_copy_link" href="https://www.addtoany.com/add_to/copy_link?linkurl=https%3A%2F%2Fwww.intezer.com%2Fblog%2Fresearch%2Fnew-linux-threat-symbiote%2F&amp;linkname=Symbiote%20Deep-Dive%3A%20Analysis%20of%20a%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat" title="Copy Link" rel="nofollow noopener" target="_blank"><img src="/wp-content/themes/intezer-v2/images/social/link.png" alt="Copy Link"></a></div></div><div class="side-blog-btn side-blog-btn-fancy"><a class="blog-side-join blog-side-cta" href="https://analyze.intezer.com/"><img src="/wp-content/uploads/2022/03/intezer-cube.png"/><h3>Get Free Account</h3><div class="join-btn">Join Now</div></a></div>        <div class="top-posts">
            <h3>Top Blogs</h3>
            <div class="top-posts-cont owl-carousel"  id="owlposts" >
                    	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/">Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)</a>
                    </h4>
				                    <span class="post-excerpt">In pop culture, a symbiote often gives a host superhuman ability (and occasionally also hilarious...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/cloud-security/factors-to-consider-cloud-workload-protection-platform/">7 Factors to Consider When Choosing a Cloud Workload Protection Platform (CWPP)</a>
                    </h4>
				                    <span class="post-excerpt">Cloud Workload Protection Platforms (CWPPs) are a new generation of modern, scalable security solutions designed...</span>	
                    <a href="https://www.intezer.com/blog/cloud-security/factors-to-consider-cloud-workload-protection-platform/" class="top-more">Read more</a>
        		</div>
        	        	    <div class="related-single item">
					<h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/">Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</a>
                    </h4>
				                    <span class="post-excerpt">Key Findings Discovered Linux &amp; Windows re-implementation of Cobalt Strike Beacon written from scratchLinux malware...</span>	
                    <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" class="top-more">Read more</a>
        		</div>
        	            </div>
        </div>
<link rel="stylesheet" href="/wp-content/themes/intezer-v2/css/owl.carousel.min.css">
<script type="text/javascript" src="/wp-content/themes/intezer-v2/js/owl.carousel.min.js"></script>
 <script type="text/javascript">

     $(document).ready(function() {
	 
  $("#owlposts").owlCarousel({
            items: 1,
            loop: true,
	  dots: true,
            center: true,
            margin: 0,
            rewind: false,
            autoplay: true,
            autoplayTimeout: 6000,
	  animateIn: 'fadeIn',
              animateOut: 'fadeOut',
      responsive:{
        0:{
            items:1
        },
        600:{
            items:1
        }
      },
      //onInitialized:setDots,
      //onChanged:setDots

        });
		 });




			       
	</script>
</div></div><div class="col-md-9 blog-main"><div class="single-post-content">
<p><em>This research is a joint effort between Joakim Kennedy, Security Researcher at Intezer, and the BlackBerry Threat Research &amp; Intelligence team. It can be found in the <a href="https://blogs.blackberry.com/en/2022/06/symbiote-a-new-nearly-impossible-to-detect-linux-threat" target="_blank" rel="noreferrer noopener">BlackBerry blog here</a> as well</em>.</p>



<p>In biology, a <em>symbiote</em> is an organism that lives in symbiosis with another organism. The symbiosis can be mutually beneficial to both organisms, but sometimes it can be parasitic when one benefits and the other is harmed. A few months back, we discovered a new, undetected Linux® malware that acts in this parasitic nature. We have aptly named this malware Symbiote.</p>



<p>What makes Symbiote different from other Linux malware that we usually come across, is that it needs to infect other running processes to inflict damage on infected machines. Instead of being a standalone executable file that is run to infect a machine, it is a shared object (SO) library that is loaded into all running processes using <a href="https://attack.mitre.org/techniques/T1574/006/" target="_blank" rel="noreferrer noopener nofollow"><strong>LD_PRELOAD</strong> (T1574.006),</a> and parasitically infects the machine. Once it has infected all the running processes, it provides the threat actor with rootkit functionality, the ability to harvest credentials, and remote access capability.</p>



<h2 id="h-the-birth-of-a-symbiote">The Birth of a Symbiote</h2>



<p>Our earliest detection of Symbiote is from November 2021, and it appears to have been written to target the <strong>financial sector</strong> in <strong>Latin America</strong>. Once the malware has infected a machine, it hides itself and any other malware used by the threat actor, making infections very hard to detect. Performing live forensics on an infected machine may not turn anything up since all the file, processes, and network artifacts are hidden by the malware. In addition to the rootkit capability, the malware provides a backdoor for the threat actor to log in as any user on the machine with a hardcoded password and to execute commands with the highest privileges.&nbsp;</p>



<p>Since it is extremely evasive, a Symbiote infection is likely to “fly under the radar.” In our research, we haven’t found enough evidence to determine whether Symbiote is being used in highly targeted or broad attacks.</p>



<p>One interesting technical aspect of Symbiote is its Berkeley Packet Filter (BPF) hooking functionality. Symbiote is not the first Linux malware to use BPF. For example, <a href="https://reverse.put.as/2021/12/17/knock-knock-whos-there/" target="_blank" rel="noreferrer noopener nofollow">advanced backdoors attributed</a> to the <a href="https://www.pangulab.cn/files/The_Bvp47_a_top-tier_backdoor_of_us_nsa_equation_group.en.pdf" target="_blank" rel="noreferrer noopener nofollow">Equation Group</a> have been using BPF for covert communication. However, Symbiote utilizes BPF to hide malicious network traffic on an infected machine. When an administrator starts any packet capture tool on the infected machine, BPF bytecode is injected into the kernel that defines which packets should be captured. In this process, Symbiote adds its bytecode first so it can filter out network traffic that it doesn’t want the packet-capturing software to see.</p>



<h2 id="h-evasion-techniques">Evasion Techniques</h2>



<p>Symbiote is very stealthy. The malware is designed to be loaded by the linker via the <strong>LD_PRELOAD</strong> directive. This allows it to be loaded before any other shared objects. Since it is loaded first, it can “hijack the imports” from the other library files loaded for the application. Symbiote uses this to hide its presence on the machine by hooking <strong>libc</strong> and <strong>libpcap</strong> functions. The image below shows a summary of the malware’s evasions.</p>



<figure class="wp-block-image size-full"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="1265113686" data-slb-internal="0"><img width="1200" height="653" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques.png" alt="" class="wp-image-26000" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques.png 1200w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques-300x163.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques-768x418.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-evasion-techniques-253x139.png 253w " sizes="(max-width: 1200px) 100vw, 1200px" /></a><figcaption><em>Figure 1: Symbiote evasion techniques</em>.</figcaption></figure>



<h3 id="h-host-activity">Host Activity</h3>



<p>The Symbiote malware, in addition to hiding its own presence on the machine, also hides other files related to malware likely deployed with it. Within the binary, there is a file list that is RC4 encrypted. When hooked functions are called, the malware first dynamically loads libc and calls the original function. This logic is used in all hooked functions. An example is shown in Figure 2 below.</p>



<figure class="wp-block-image size-full"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/2-logic-for-resolving-readdir.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="718799717" data-slb-internal="0"><img loading="lazy" width="867" height="456" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/2-logic-for-resolving-readdir.png" alt="logic for resolving readdir" class="wp-image-25930" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/2-logic-for-resolving-readdir.png 867w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/2-logic-for-resolving-readdir-300x158.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/2-logic-for-resolving-readdir-768x404.png 768w " sizes="(max-width: 867px) 100vw, 867px" /></a><figcaption><em>Figure 2: Logic for resolving readdir from libc.</em></figcaption></figure>



<p>If the calling application is trying to access a file or folder under <strong>/proc</strong>, the malware scrubs the output from process names that are on its list. The process names in the list below were extracted from the samples we have discovered.</p>



<ul><li>certbotx64</li><li>certbotx86</li><li>javautils</li><li>javaserverx64</li><li>javaclientex64</li><li>javanodex86</li></ul>



<p>If the calling application is not trying to access something under <strong>/proc</strong>, the malware instead scrubs the result from a file list. The files extracted from all the samples we examined are shown in the list below. Some of the file names match those used by Symbiote, while others match names of files suspected to be tools used by the threat actor on the infected machine. The list includes the following files.</p>



<ul><li>apache2start</li><li>apache2stop</li><li>profiles.php</li><li>404erro.php</li><li>javaserverx64</li><li>javaclientex64</li><li>javanodex86</li><li>liblinux.so</li><li>java.h</li><li>open.h</li><li>mpt86.h</li><li>sqlsearch.php</li><li>indexq.php</li><li>mt64.so</li><li>certbot.h</li><li>cert.h</li><li>certbotx64</li><li>certbotx86</li><li>javautils</li><li>search.so</li></ul>



<p>One consequence of Symbiote being loaded into processes via <strong>LD_PRELOAD</strong> is that tools like <strong>ldd</strong>, a utility that prints the shared libraries required by each program, will list the malware as a loaded object. To counter this, the malware hooks <strong>execve</strong> and looks for calls to this function with the environment variable <strong>LD_TRACE_LOADED_OBJECTS</strong> set to 1. To understand why, it’s worth looking at the manual page for <strong>ldd</strong>:</p>



<p class="blue-box has-background" style="background-color:#deebff">In the usual case, ldd invokes the standard dynamic linker (see ld.so(8)) with the LD_TRACE_LOADED_OBJECTS&nbsp;environment&nbsp;variable&nbsp;set&nbsp;to&nbsp;1. This causes the dynamic linker to inspect the program&#8217;s dynamic dependencies, and find (according to the rules described in ld.so(8)) and load the objects that satisfy those dependencies.&nbsp;For each dependency, ldd displays the location of the matching object and the (hexadecimal) address at which it is loaded. (The linux-vdso and ld-linux shared dependencies are special; see vdso(7) and ld.so(8).)</p>



<p>When the malware detects this, it executes the loader as <strong>ldd</strong> does, but it scrubs its own entry from the result.</p>



<h3 id="h-network-activity">Network Activity</h3>



<p>Symbiote also has functionality to hide network activity on the infected machine. It uses three different methods to accomplish this. The first method involves hooking <strong>fopen</strong> and <strong>fopen64</strong>. If the calling application tries to open <strong>/proc/net/tcp,</strong> the malware creates a temp file and copies the first line to that file. After that, it scans each line for the presence of specific ports. If the malware finds a port it’s searching for on a line it’s scanning, it skips to the next line. Otherwise, the line is written to the temp file. Once the original file has been completely processed, the malware closes the file and returns the file descriptor of the temp file back to the caller. Essentially, this gives the calling process a scrubbed result, which excludes all entries of the network connections that the malware wants to hide.</p>



<p>The second method Symbiote uses to hide its network activity is by hijacking any injected packet filtering bytecode. The Linux kernel <a href="https://www.kernel.org/doc/html/latest/networking/filter.html" target="_blank" rel="noreferrer noopener nofollow">uses extended Berkeley Packet Filter</a> (eBPF) to allow packet filtering based on rules provided from a userland process. The filtering rule is provided as eBPF bytecode that the kernel executes on a virtual machine (VM). This minimizes the context switching between kernel and userland, providing a performance boost since the kernel performs the filtering directly.</p>



<p>If an application on the infected machine tries to perform packet filtering with eBPF, Symbiote hijacks the filtering process. First, it hooks the <strong>libc</strong> function <strong>setsockopt</strong>. If the function is called with the option <strong>SO_ATTACH_FILTER</strong>, which is used to perform packet filtering on a socket, it prepends its own bytecode before the eBPF code provided by the calling application.&nbsp;</p>



<p>Code Snippet 1 shows an annotated version of the bytecode injected by one of the Symbiote samples. The bytecode “drops” if they match the following conditions:</p>



<ul><li>IPv6 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)</li><li>IPv6 (TCP or SCTP) and dst port 43253</li><li>IPv4 (TCP or SCTP) and src port (43253 or 43753 or 63424 or 26424)</li><li>IPv4 (TCP or SCTP) and dst port (43253 or 43753 or 63424 or 26424)</li></ul>



<p>While this bytecode only drops packets based on ports, we have also observed filtering of traffic based on IPv4 addresses. In all cases, the filtering operates on both inbound and outbound traffic from the machine, to hide both directions of the traffic. If the conditions are not met, it just jumps to the start of the bytecode provided by the calling application.&nbsp;</p>



<p>The bytecode extracted from one of the samples, as shown in Code Snippet 1, consists of 32 instructions. This code can’t be injected into the kernel on its own, because it assumes that more bytecode exists after it. There are a few jumps in this bytecode that skip to the beginning of the bytecode provided by the calling process. Without the caller’s bytecode, the injected bytecode would jump out-of-bounds, which is not allowed by the kernel. Bytecode like this either has to be handwritten or by patching compiler generated-bytecode. Either option suggests that this malware was written by a skilled developer.</p>



<pre class="wp-block-prismatic-blocks"><code class="language-xml">; Load Ether frame type from the packet.
0x00:    0x28    0x00    0x00    0x000c   	 ldabsh    0xc
; Jump if it’s not IPv6 (0x86DD)
0x01:    0x15    0x00    0x0b    0x86dd   	 jeq    r0,    0x86dd,    +0, +0x0b    (jump to 0xd)
; Load IPv6 next header into register.
0x02:    0x30    0x00    0x00    0x0014   	 ldabsb    0x14
; Short jump if SCTP
0x03:    0x15    0x02    0x00    0x0084   	 jeq    r0,    0x84,    +0x2    (jump to 0x6)   	  ; SCTP
; Short jump if TCP
0x04:    0x15    0x01    0x00    0x0006   	 jeq    r0,    0x6,    +0x1    (jump to 0x6)   		 ; TCP
; Jump to original byte code if UDP
0x05:    0x15    0x00    0x1a    0x0011   	 jeq    r0,    0x11,    +0x1a    (jump to 0x20)   	 ; UDP

; Load TCP src port into register.
0x06:    0x28    0x00    0x00    0x0036   	 ldabsh    0x36
; Jump to drop the packet if port 43253.
0x07:    0x15    0x17    0x00    0xa8f5   	 jeq    r0,    0xa8f5,    +0x17    (jump to 0x1f)    ; 43253
; Jump to drop the packet if port 43753.
0x08:    0x15    0x16    0x00    0xaae9   	 jeq    r0,    0xaae9,    +0x16    (jump to 0x1f)    ; 43753
; Jump to drop the packet if port 63424.
0x09:    0x15    0x15    0x00    0xf7c0   	 jeq    r0,    0xf7c0,    +0x15    (jump to 0x1f)    ; 63424
; Jump to drop the packet if port 26424.
0x0a:    0x15    0x14    0x00    0x6738   	 jeq    r0,    0x6738,    +0x14    (jump to 0x1f)    ; 26424

; Load TCP dst port into register.
0x0b:    0x28    0x00    0x00    0x0038   	 ldabsh    0x38
; Jump to drop packet if port 43253 else jump to 0x1c.
0x0c:    0x15    0x12    0x0f    0xa8f5   	 jeq    r0,    0xa8f5,    +0xf12 (jump to 0x1f)    (jump to 0x1c) ; 43253

; Ether frame type check for IPv4 (0x0800)
0x0d:    0x15    0x00    0x12    0x0800   	 jeq    r0,    0x800,    +0x1200    (jump to 0x20)
; Load IPv4 next header field into register.
0x0e:    0x30    0x00    0x00    0x0017   	 ldabsb    0x17
; Short jump if SCTP.
0x0f:    0x15    0x02    0x00    0x0084   	 jeq    r0,    0x84,    +0x2    (jump to 0x12)   	 ; SCTP
; Short jump if TCP.
0x10:    0x15    0x01    0x00    0x0006   	 jeq    r0,    0x6,    +0x1    (jump to 0x12)    	 ; TCP
; Jump to original byte code if UDP.
0x11:    0x15    0x00    0x0e    0x0011   	 jeq    r0,    0x11,    +0xe00    (jump to 0x20)     ; UDP

; Load IPv4 flag into register.
0x12:    0x28    0x00    0x00    0x0014   	 ldabsh    0x14
; Jump to original byte code if flags are set.
0x13:    0x45    0x0c    0x00    0x1fff   	 jset    r0,    0x1fff,    +0xc    (jump to 0x20)

; Load Internet Header Length into x.
0x14:    0xb1    0x00    0x00    0x000e   	 ldxmsh 0x0e
; Load TCP src port into register.
0x15:    0x48    0x00    0x00    0x000e   	 ldindh    r0,    0xe
; Jump to drop the packet if port 43253.
0x16:    0x15    0x08    0x00    0xa8f5   	 jeq    r0,    0xa8f5,    +0x8    (jump to 0x1f) ; 43253
; Jump to drop the packet if port 43753.
0x17:    0x15    0x07    0x00    0xaae9   	 jeq    r0,    0xaae9,    +0x7    (jump to 0x1f)    ; 43753
; Jump to drop the packet if port 63424.
0x18:    0x15    0x06    0x00    0xf7c0   	 jeq    r0,    0xf7c0,    +0x6    (jump to 0x1f)    ; 63424
; Jump to drop the packet if port 26424.
0x19:    0x15    0x05    0x00    0x6738   	 jeq    r0,    0x6738,    +0x5    (jump to 0x1f)    ; 26424

; Load TCP dst port into register.
0x1a:    0x48    0x00    0x00    0x0010   	 ldindh    r0,    0x10
; Jump to drop the packet if port 43253.
0x1b:    0x15    0x03    0x00    0xa8f5   	 jeq    r0,    0xa8f5,    +0x3    (jump to 0x1f) ; 43253
; Jump to drop the packet if port 43753.
0x1c:    0x15    0x02    0x00    0xaae9   	 jeq    r0,    0xaae9,    +0x2    (jump to 0x1f) ; 43753
; Jump to drop the packet if port 63424.
0x1d:    0x15    0x01    0x00    0xf7c0   	 jeq    r0,    0xf7c0,    +0x1    (jump to 0x1f)    ; 63424

; Jump to drop packet if true otherwise jump to original byte code.
0x1e:    0x15    0x00    0x01    0x6738   	 jeq    r0,    0x6738,    +0x100    (jump to 0x20); 26424
; Drop packet by returning 0.
0x1f:    0x06    0x00    0x00    0x0000   	 ret 0
0x20: // Original byte code.</code></pre>



<p class="has-text-align-center"><em>Code Snippet 1: Annotated bytecode extracted from one of the Symbiote samples.</em></p>



<p>The third method Symbiote uses to hide its network traffic is to hook <strong>libpcap</strong> functions. This method is used by the malware to filter out UDP traffic to domain names it has in a list. It hooks the functions <strong>pcap_loop</strong> and <strong>pcap_stats</strong> to accomplish this task. For each packet that is received, Symbiote checks the UDP payload for substrings of the domains it wants to filter out. If it finds a match, the malware ignores the packet and increments a counter. The <strong>pcap_stats</strong> uses this counter to “correct” the number of packets processed by subtracting the counter value from the true number of packets processed. If a packet payload does not contain any of the strings it has in its list, the original callback function is called. This method is used to filter out UDP packets, while the bytecode method is used to filter out TCP packets. By using all three of these methods, the malware ensures that all traffic is hidden.</p>



<h2 id="h-symbiote-objectives">Symbiote Objectives</h2>



<p>The malware&#8217;s objective, in addition to hiding malicious activity on the machine, is to harvest credentials and to provide remote access for the threat actor. The credential harvesting is performed by hooking the <strong>libc</strong> <strong>read</strong> function. If an <strong>ssh</strong> or <strong>scp</strong> process is calling the function, it captures the credentials. The credentials are first encrypted with RC4 using an embedded key, and then written to a file. For example, one of the versions of the malware writes the captured credentials to the file <strong>/usr/include/certbot.h</strong>.&nbsp;</p>



<p>In addition to storing the credentials locally, the credentials are exfiltrated. The data is hex encoded and chunked up to be exfiltrated via DNS address (A) record requests to a domain name controlled by the threat actor. The A record request has the following format:</p>



<pre class="wp-block-prismatic-blocks"><code class="language-">%PACKET_NUMBER%.%MACHINE_ID%.%HEX_ENC_PAYLOAD%.%DOMAIN_NAME%</code></pre>



<p class="has-text-align-center"><em>Code Snippet 2: Structure of DNS request used by Symbiote to exfiltrate data.</em></p>



<p>The malware checks if the machine has a nameserver configured in <strong>/etc/resolv.conf</strong>. If it doesn’t, Google’s DNS (8.8.8.8) is used. Along with sending the request to the domain name, Symbiote also sends it as a UDP broadcast.</p>



<p>Remote access to the infected machine is achieved by hooking a few Linux Pluggable Authentication Module (PAM) functions. When a service tries to use PAM to authenticate a user, the malware checks the provided password against a hardcoded password. If the password provided is a match, the hooked function returns a success response. Since the hooks are in PAM, it allows the threat actor to authenticate to the machine with any service that uses PAM. This includes remote services such as <a href="https://www.openssh.com/" target="_blank" rel="noreferrer noopener nofollow">Secure Shell (SSH)</a>.</p>



<p>If the entered password does not match the hardcoded password, the malware saves and exfiltrates it as part of its keylogging functionality. Additionally, the malware sends a DNS TXT record request to its command-and-control (C2) domain. The TXT record has the format of <strong>%MACHINEID%.%C2_DOMAIN%</strong>. If it gets a response, the malware base64 decodes the content, checks if the content has been signed by a correct ed25519 private key, decrypts the content with RC4, and executes the shell script in a spawned bash process. This functionality can operate as a break-glass method for regaining access to the machine in case the normal process doesn’t work.</p>



<p>Once the threat actor has authenticated to the infected machine, Symbiote provides functionality to gain root privileges. When the shared object is first loaded, it checks for the environment variable <strong>HTTP_SETTHIS</strong>. If the variable is set with content, the malware changes the effective user and group ID to the root user, and then clears the variable before executing the content via the system command.&nbsp;</p>



<p>This process requires that the SO has the <a href="https://linux.die.net/man/1/chmod" target="_blank" rel="noreferrer noopener nofollow">setuid permission</a> flag set. Once the system command has exited, Symbiote also exits the process, to prevent the original process from executing. Figure 3 below shows the code executed. This allows for spawning a root shell by running <strong>HTTP_SETTHIS=”/bin/bash -p” /bin/true</strong> as any user in a shell.</p>



<figure class="wp-block-image size-full"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="1209184377" data-slb-internal="0"><img loading="lazy" width="939" height="724" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges.png" alt="logic to get root privileges" class="wp-image-25931" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges.png 939w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges-300x231.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges-768x592.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/3-symbiote-logic-to-get-root-privileges-310x240.png 310w " sizes="(max-width: 939px) 100vw, 939px" /></a><figcaption><em>Figure 3: Logic used to execute a command with root privileges.</em></figcaption></figure>



<h2 id="h-network-infrastructure">Network Infrastructure</h2>



<p>The domain names used by the Symbiote malware are impersonating some major Brazilian banks. This suggests that these banks or their customers are the potential targets. Using the domain names utilized by the malware, we managed to uncover a related sample that was uploaded to VirusTotal with the name <strong>certbotx64</strong>. This file name matches one of those listed as a file to hide in one of the Symbiote samples we originally obtained. The file was identified as an open-source DNS tunneling tool called <a href="https://github.com/iagox86/dnscat2" target="_blank" rel="noreferrer noopener nofollow">dnscat2</a>.&nbsp;</p>



<p>The sample had a configuration in the binary that used the <strong>git[.]bancodobrasil[.]dev</strong> domain as its C2 server. During the months of February and March, this domain name resolved to an IP address that is linked to Njalla’s Virtual Private Server (VPS) service. Passive DNS records showed that the same IP address was resolved to <strong>ns1[.]cintepol[.]link</strong> and <strong>ns2[.]cintepol[.]link</strong> a few months earlier. Cintepol is an <a href="http://www.seplag.mt.gov.br/index.php?pg=ver&amp;id=300&amp;c=38" target="_blank" rel="noreferrer noopener nofollow">intelligence portal</a> provided by the Federal Police of Brazil. The portal allows police officers to access different databases provided by the federal police as part of their investigations. The nameserver used for this impersonating domain name was active from the middle of December 2021 to the end of January 2022.&nbsp;</p>



<p>Also starting in February of 2022, the name servers for the domain <strong>caixa[.]wf</strong> were pointing to another Njalla VPS IP. Figure 4 below shows a timeline of these events. In addition to the network infrastructure, the timestamps of when the files were submitted to VirusTotal are included. These three Symbiote samples were uploaded by the same submitter from Brazil. It appears that the files were submitted to VirusTotal before the infrastructure went online.&nbsp;</p>



<p>Given that these files were submitted to VirusTotal prior to the infrastructure going online, and because some of the samples included rules to hide local IP addresses, it is possible that the samples were submitted to VirusTotal to test Antivirus detection before being used. Additionally, a version that appears to be under development was submitted at the end of November from Brazil, further suggesting VirusTotal was being used by the threat actor or group behind Symbiote for detection testing.</p>



<figure class="wp-block-image size-large"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="2119339565" data-slb-internal="0"><img loading="lazy" width="1530" height="645" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT-1530x645.png" alt="symbiote submitted to VT" class="wp-image-25932" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT-1530x645.png 1530w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT-300x127.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT-768x324.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT-1536x648.png 1536w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/4-symbiote-submitted-to-VT.png 1560w " sizes="(max-width: 1530px) 100vw, 1530px" /></a><figcaption>Figure 4: Timeline showing when files were submitted to VirusTotal and when network infrastructure went active.</figcaption></figure>



<h2 id="h-similarity-to-other-malware">Similarity to Other Malware</h2>



<p>Symbiote appears to be designed for both credential stealing and to provide remote access to infected Linux servers. Symbiote is not the first Linux malware developed for this goal. In 2014, ESET released an <a href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" target="_blank" rel="noreferrer noopener nofollow">in-depth analysis of Ebury</a>, an OpenSSH backdoor that also performs credential stealing. There are some similarities in the techniques used by both malware families. Both use hooked functions to capture credentials and exfiltrate the captured data as DNS requests. However, the authentication method to the backdoor used by the two malware families is different. When we first analyzed the samples with <a href="https://analyze.intezer.com/" target="_blank" rel="noreferrer noopener">Intezer Analyze</a>, only unique code was detected (Figure 5). As no code is shared between Symbiote and Ebury/Windigo or any other known malware, we can confidently conclude that Symbiote is a new, undiscovered Linux malware.</p>



<figure class="wp-block-image size-large"><a href="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis.png" data-slb-group="post-images" data-slb-active="1" data-slb-asset="471906826" data-slb-internal="0"><img loading="lazy" width="1530" height="770" src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis-1530x770.png" alt="symbiote intezer analysis" class="wp-image-25933" srcset="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis-1530x770.png 1530w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis-300x151.png 300w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis-768x386.png 768w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis-1536x773.png 1536w , https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/5-symbiote-intezer-analysis.png 1596w " sizes="(max-width: 1530px) 100vw, 1530px" /></a><figcaption>Figure 5: Intezer <a href="https://analyze.intezer.com/files/ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180" target="_blank" rel="noreferrer noopener">analysis</a> of a Symbiote sample showing only genes classified as Symbiote.</figcaption></figure>



<h2 id="h-conclusion">Conclusion</h2>



<p>Symbiote is a malware that is highly evasive. Its main objective is to capture credentials and to facilitate backdoor access to infected machines. Since the malware operates as a userland level rootkit, detecting an infection may be difficult. Network telemetry can be used to detect anomalous DNS requests and security tools such as antivirus (AVs) and endpoint detection and response (EDRs) should be statically linked to ensure they are not “infected” by userland rootkits.</p>



<h2 id="h-indicators-of-compromise-iocs">Indicators of Compromise (IoCs)</h2>



<h3 id="h-hashes">Hashes</h3>



<figure class="wp-block-table"><table><tbody><tr><td class="has-text-align-left" data-align="left"><strong>Hash</strong></td><td class="has-text-align-left" data-align="left"><strong>Notes</strong></td></tr><tr><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924" target="_blank" rel="noreferrer noopener">121157e0fcb728eb8a23b55457e89d45d76aa3b7d01d3d49105890a00662c924</a></td><td class="has-text-align-left" data-align="left">“kerneldev.so.bkp.” Appears to be an early development build.</td></tr><tr><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c" target="_blank" rel="noreferrer noopener">f55af21f69a183fb8550ac60f392b05df14aa01d7ffe9f28bc48a118dc110b4c</a></td><td class="has-text-align-left" data-align="left">“mt64_.so.” Missing credential exfiltration over DNS.</td></tr><tr><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180" target="_blank" rel="noreferrer noopener">ec67bbdf55d3679fca72d3c814186ff4646dd779a862999c82c6faa8e6615180</a></td><td class="has-text-align-left" data-align="left">“search.so.” First sample with credential exfiltration of DNS.</td></tr><tr><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6" target="_blank" rel="noreferrer noopener">a0cd554c35dee3fed3d1607dc18debd1296faaee29b5bd77ff83ab6956a6f9d6</a></td><td class="has-text-align-left" data-align="left">“liblinux.so.”&nbsp;</td></tr><tr><td class="has-text-align-left" data-align="left"><a href="https://analyze.intezer.com/files/45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01" target="_blank" rel="noreferrer noopener">45eacba032367db7f3b031e5d9df10b30d01664f24da6847322f6af1fd8e7f01</a></td><td class="has-text-align-left" data-align="left">“certbotx64.” dnscat2&nbsp;</td></tr></tbody></table></figure>



<h3 id="h-ports-hidden">Ports Hidden</h3>



<ul><li>45345</li><li>34535</li><li>64543</li><li>24645</li><li>47623</li><li>62537</li><li>43253</li><li>43753</li><li>63424</li><li>26424</li></ul>



<h3 id="h-domains-hidden">Domains Hidden</h3>



<ul><li>assets[.]fans</li><li>caixa[.]cx</li><li>dpf[.]fm</li><li>bancodobrasil[.]dev</li><li>cctdcapllx0520</li><li>cctdcapllx0520[.]df[.]caixa</li><li>webfirewall[.]caixa[.]wf</li><li>caixa[.]wf</li></ul>



<h3 id="h-process-names-hidden">Process Names Hidden</h3>



<ul><li>javaserverx64</li><li>javaclientex64</li><li>javanodex86</li><li>apache2start</li><li>apache2stop</li><li>[watchdog/0]</li><li>certbotx64</li><li>certbotx86</li><li>javautils</li></ul>



<h3 id="h-file-names-hidden">File Names Hidden</h3>



<ul><li>apache2start</li><li>apache2stop</li><li>profiles.php</li><li>404erro.php</li><li>javaserverx64</li><li>javaclientex64</li><li>javanodex86</li><li>liblinux.so</li><li>java.h</li><li>open.h</li><li>mpt86.h</li><li>sqlsearch.php</li><li>indexq.php</li><li>mt64.so</li><li>certbot.h</li><li>cert.h</li><li>certbotx64</li><li>certbotx86</li><li>javautils</li><li>search.so</li></ul>



<h3 id="h-credential-exfil-domains">Credential Exfil Domains</h3>



<ul><li>*.x3206.caixa.cx</li><li>*.dev21.bancodobrasil.dev</li></ul>
<div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2020/12/headshot-scaled-e1607466945157-60x60.jpg" class="user-photo"><div class="user-bio"><strong> Joakim Kennedy</strong><div class="share-author"><a href="https://twitter.com/joakimkennedy" target="_blank" class="twitter-link"><i class="fa fa-twitter" aria-hidden="true"></i></a></div><p>Dr. Joakim Kennedy is a Security Researcher analyzing malware and tracking threat actors on a daily basis. For the last few years, Joakim has been researching malware written in Go. To make the analysis easier he has written the Go Reverse Engineering Toolkit (github.com/goretk), an open-source toolkit for analysis of Go binaries.</p></div></div><div class="author-box-bottom clearfix"><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/blackberry-logo-square-60x60.jpg" class="user-photo"><div class="user-bio"><strong> The BlackBerry Threat Research &amp; Intelligence Team</strong><div class="share-author"></div><p>The BlackBerry Research & Intelligence team examines emerging and persistent threats, providing intelligence analysis for the benefit of defenders and the organizations they serve.</p></div></div><div class="post-tags"> <a href="https://www.intezer.com/tag/linux/" rel="tag">Linux</a> <a href="https://www.intezer.com/tag/linux-malware/" rel="tag">Linux Malware</a> <a href="https://www.intezer.com/tag/linux-threats/" rel="tag">Linux threats</a> <a href="https://www.intezer.com/tag/symbiote/" rel="tag">Symbiote</a></div><nav class="post-nav clearfix"><div class="prev-post"><a href="https://www.intezer.com/blog/threat-hunting/track-threat-families-detect-and-hunt/" rel="prev"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/threat-hunting/track-threat-families-detect-and-hunt/" rel="prev">Stay Ahead of the Latest Threats with Threat Family Tracking</a></h4></div></div><div class="next-post"><a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/" rel="next"></a><div class="post-link clear"><h4><a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/" rel="next">Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)</a></h4></div></div></nav>        <div class="related-posts">
            <h3>Recommended Articles</h3>
            <ul class="row related-cont">
                    	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2022/06/symbiote-linux-threat-blog-graphic-summary-253x139.png" alt="Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 2</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/summary-of-symbiote-research-a-new-nearly-impossible-to-detect-linux-threat/">Summary of Symbiote Research (A New, Nearly-Impossible-to-Detect Linux Threat)</a>
                    </h4>
					
						
				                    <span class="post-excerpt">In pop culture, a symbiote often gives a host superhuman ability (and occasionally also...</span>	
                    <span class="post-date">9 June 2022</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/cloud-security/factors-to-consider-cloud-workload-protection-platform/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/10/BlogImage1024x475-253x139.png" alt="7 Factors to Consider When Choosing a Cloud Workload Protection Platform (CWPP)" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 4</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/cloud-security/factors-to-consider-cloud-workload-protection-platform/">7 Factors to Consider When Choosing a Cloud Workload Protection Platform (CWPP)</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Cloud Workload Protection Platforms (CWPPs) are a new generation of modern, scalable security solutions...</span>	
                    <span class="post-date">22 October 2021</span>
        		</li>
        	        	    <li class="related-single">
                    <span class="thumb">
                    <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/" title=""><img src="https://149520725.v2.pressablecdn.com/wp-content/uploads/2021/09/BlogImage1024x475-253x139.png" alt="Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike" class="post-thumb" /></a>                    </span>
					                    <span class="read-time"><span class="span-reading-time rt-reading-time"><span class="rt-label rt-prefix"></span> <span class="rt-time"> 8</span> <span class="rt-label rt-postfix"></span></span></span>
                    <h4>
                        <a href="https://www.intezer.com/blog/malware-analysis/vermilionstrike-reimplementation-cobaltstrike/">Vermilion Strike: Linux and Windows Re-implementation of Cobalt Strike</a>
                    </h4>
					
						
				                    <span class="post-excerpt">Key Findings Discovered Linux &amp; Windows re-implementation of Cobalt Strike Beacon written from scratchLinux...</span>	
                    <span class="post-date">13 September 2021</span>
        		</li>
        	            </ul>
        </div>
</div></div><div class="col-md-1"></div></div>
		    </div>
			
		
	    </div>
		

    </div>

<script>

	
$(document).ready(function() {
	$('.form-title').val('Subscribe to Blog Side');
	    $('div.single-post-page').find('a').addClass('blog-text-link');


	
	  $("input.email").focus(function() {
          $(".cf-field").addClass("show");
        });

	 $( "div.btn-sub-show" ).click(function() {
$("div.blog-side-subscribe").addClass("show");
});

		
		 var blogbtn = $('div.blog-side-subscribe').offset();

    var $window = $(window);
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
//$("div.blog-side-subscribe").removeClass("show");
        }
    
    $window.scroll(function() {
        if ( $window.scrollTop() >= blogbtn.top - 100) {
            $("div.side-blog-btn").addClass("fixed");
            $("div.side-blog-share").addClass("fixed");
			$("div.blog-side-subscribe").addClass("fixed");
			//$("div.btn-sub-show").addClass("fixed");
        }
else if( $window.scrollTop() < blogbtn.top - 100){
          $("div.side-blog-btn").removeClass("fixed");
          $("div.side-blog-share").removeClass("fixed");
		$("div.blog-side-subscribe").removeClass("fixed");
		//$("div.btn-sub-show").removeClass("fixed");
	//$("div.blog-side-subscribe").removeClass("show");
        }
		
    });			
});  
   

    </script>
<footer>
            <div class="container">
                <div class="row">
					<div class="footer-logo-cont"><img src="https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/images/intezer-logo-b.png" alt="intezer footer logo" width="95" height="24" title="" class="footer-logo">
						<div class="social footer-right">
                            <ul>
<li><a href="https://www.youtube.com/channel/UCt5L5ztHh-C1NCKa6bKjXFQ?view_as=subscriber" target="_blank"><i class="fa fa-youtube" aria-hidden="true" title="youtube"></i></a></li>
								<li><a href="https://www.facebook.com/IntezerLabs/" target="_blank"><i class="fa fa-facebook" aria-hidden="true" title="facebook"></i></a></li>
								 <li><a href="https://www.linkedin.com/company/intezer-labs" target="_blank"><i class="fa fa-linkedin" aria-hidden="true" title="Linkedin"></i></a></li>
                                <li><a href="https://twitter.com/intezerlabs" target="_blank"><i class="fa fa-twitter" aria-hidden="true" title="twitter"></i></a></li>
 								<li><a href="https://www.intezer.com/feed/"><i class="fa fa-rss" aria-hidden="true" title="RSS"></i></a></li>
                            </ul>
                        </div>
					</div>

                    <div class="footer-left">
						
                        <ul id="menu-footer-1" class="footer-1"><li id="menu-item-20981" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20981 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Solutions </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-1453" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-1453 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-analyze/">Analyze</a></li>
	<li id="menu-item-12276" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-12276 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-protect/">Protect</a></li>
</ul>
</li>
<li id="menu-item-213" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-213 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Learn </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-15963" class="menu-item menu-item-type-taxonomy menu-item-object-category current-post-ancestor menu-item-15963 nav-item"><a class="nav-link" href="https://www.intezer.com/blog/">Blog</a></li>
	<li id="menu-item-2061" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-2061 nav-item"><a class="nav-link" href="https://www.intezer.com/resources/">Resources</a></li>
	<li id="menu-item-15892" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-15892 nav-item"><a class="nav-link" href="https://support.intezer.com/hc/en-us">Docs &#038; API</a></li>
	<li id="menu-item-21934" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-21934 nav-item"><a class="nav-link" href="https://www.intezer.com/security/">Security</a></li>
</ul>
</li>
<li id="menu-item-20982" class="menu-item menu-item-type-custom menu-item-object-custom menu-item-has-children menu-item-20982 nav-item dropdown"><a class="nav-link dropdown-toggle" href="javascript:void(0);" data-toggle="dropdown" aria-haspopup="true">Company </a>
<ul role="menu" class="dropdown-menu">
	<li id="menu-item-215" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-215 nav-item"><a class="nav-link" href="https://www.intezer.com/about/">About</a></li>
	<li id="menu-item-216" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-216 nav-item"><a class="nav-link" href="https://www.intezer.com/contact-us/">Contact Us</a></li>
	<li id="menu-item-7169" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7169 nav-item"><a class="nav-link" href="https://www.intezer.com/partners/">Partners</a></li>
	<li id="menu-item-7168" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7168 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-news/">News</a></li>
	<li id="menu-item-7167" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-7167 nav-item"><a class="nav-link" href="https://www.intezer.com/intezer-events/">Events</a></li>
	<li id="menu-item-8418" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-8418 nav-item"><a class="nav-link" href="https://www.intezer.com/careers/">Careers</a></li>
</ul>
</li>
</ul>                    </div>
					
	
                </div>
            </div>
			
        </footer>
        <div id="credit">
            <div class="container">
                <div>
               
                © Intezer.com 2022 All rights reserved					 
                        <ul id="menu-footer-2" class="footer-2"><li id="menu-item-59" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-59"><a href="https://www.intezer.com/terms-of-use/">Terms of Use</a></li>
<li id="menu-item-222" class="menu-item menu-item-type-post_type menu-item-object-page menu-item-privacy-policy menu-item-222"><a href="https://www.intezer.com/privacy/">Privacy Policy</a></li>
</ul>
                </div> 
						
            </div>       
        </div>

        <script type="text/javascript">
	$(window).scroll(function() {
    var nav = $('#main-menu');
    var toppopheight = $('#top-bar-spacer').height();
    var top = 130;
    if ($(window).scrollTop() >= top) {
        nav.addClass('botborder');
if(toppopheight>0)
   {nav.css({ top: toppopheight+12 });}
		
    } else {
        nav.removeClass('botborder');
     nav.css({ top: 0 });
    }
});
</script>
	   <link rel='stylesheet' id='elementor-frontend-legacy-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-legacy.min.css?ver=3.6.5' media='all' />
<link rel='stylesheet' id='elementor-frontend-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-frontend-lite.min.css?ver=1653890901' media='all' />
<link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  wpacu-elementor-post-16929-href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1653890902' media='all' /><script>
function wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var) {
    if (wpacu_elementor_post_16929_match_media_var.matches) { 
        var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
        document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
    }
}
try { var wpacu_elementor_post_16929_match_media_var = window.matchMedia("screen and (min-width: 1024px)"); wpacu_elementor_post_16929_match_media(wpacu_elementor_post_16929_match_media_var); wpacu_elementor_post_16929_match_media_var.addListener(wpacu_elementor_post_16929_match_media); }
catch (wpacuError) {
	var wpacuHrefAttr = document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].getAttribute('wpacu-elementor-post-16929-href');
    document.querySelectorAll("[wpacu-elementor-post-16929-href]")[0].setAttribute('href', wpacuHrefAttr); 
}
</script>
<link rel='stylesheet' id='elementor-post-8921-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-8921.css?ver=1653890902' media='all' />
<link rel='stylesheet' id='elementor-pro-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/custom-pro-frontend-lite.min.css?ver=1653890902' media='all' />
<script   type='text/javascript' src='https://c0.wp.com/c/6.0/wp-includes/js/dist/vendor/regenerator-runtime.min.js' id='regenerator-runtime-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0/wp-includes/js/dist/vendor/wp-polyfill.min.js' id='wp-polyfill-js'></script>
<script type='text/javascript' id='contact-form-7-js-extra'>
/* <![CDATA[ */
var wpcf7 = {"api":{"root":"https:\/\/www.intezer.com\/wp-json\/","namespace":"contact-form-7\/v1"},"cached":"1"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/includes/js/index.js?ver=5.5.6.1' id='contact-form-7-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/dynamicconditions/Public/js/dynamic-conditions-public.js?ver=1.6.0' id='dynamic-conditions-js'></script>
<script type='text/javascript' id='leadin-script-loader-js-js-extra'>
/* <![CDATA[ */
var leadin_wordpress = {"userRole":"visitor","pageType":"post","leadinPluginVersion":"8.12.41"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://js.hs-scripts.com/5492986.js?integration=WordPress&#038;ver=8.12.41' async defer id='hs-script-loader'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/prismatic/lib/highlight/js/highlight-core.js?ver=3.1.1' id='prismatic-highlight-js'></script>
<script   type='text/javascript' id='prismatic-highlight-js-after'>
hljs.highlightAll();
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/tether.min.js?ver=c2b020b0b2420704e18668efee690c6f' id='tether_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/bootstrap.min.js?ver=c2b020b0b2420704e18668efee690c6f' id='bootstrap_js-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/themes/intezer-v2/js/main.js?ver=c2b020b0b2420704e18668efee690c6f' id='intezer-main-scripts-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/external/simplebar.js?ver=4751' id='wd-asl-scroll-simple-js'></script>
<script   type='text/javascript' id='wd-asl-ajaxsearchlite-js-before'>
window.ASL = typeof window.ASL !== 'undefined' ? window.ASL : {}; window.ASL.wp_rocket_exception = "DOMContentLoaded"; window.ASL.ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.backend_ajaxurl = "https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"; window.ASL.js_scope = "jQuery"; window.ASL.asl_url = "https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/"; window.ASL.detect_ajax = 0; window.ASL.media_query = 4751; window.ASL.version = 4751; window.ASL.pageHTML = ""; window.ASL.additional_scripts = [{"handle":"wd-asl-scroll-simple","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/external\/simplebar.js","prereq":false},{"handle":"wd-asl-ajaxsearchlite","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-prereq.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-core","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-core.js","prereq":[]},{"handle":"wd-asl-ajaxsearchlite-vertical","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-results-vertical.js","prereq":["wd-asl-ajaxsearchlite"]},{"handle":"wd-asl-ajaxsearchlite-load","src":"https:\/\/www.intezer.com\/wp-content\/plugins\/ajax-search-lite\/js\/min\/plugin\/optimized\/asl-load.js","prereq":["wd-asl-ajaxsearchlite-vertical"]}]; window.ASL.script_async_load = false; window.ASL.scrollbar = true; window.ASL.css_async = false; window.ASL.js_retain_popstate = 0; window.ASL.highlight = {"enabled":false,"data":[]}; window.ASL.fix_duplicates = 1; window.ASL.analytics = {"method":0,"tracking_id":"","string":"?ajax_search={asl_term}","event":{"focus":{"active":1,"action":"focus","category":"ASL","label":"Input focus","value":"1"},"search_start":{"active":0,"action":"search_start","category":"ASL","label":"Phrase: {phrase}","value":"1"},"search_end":{"active":1,"action":"search_end","category":"ASL","label":"{phrase} | {results_count}","value":"1"},"magnifier":{"active":1,"action":"magnifier","category":"ASL","label":"Magnifier clicked","value":"1"},"return":{"active":1,"action":"return","category":"ASL","label":"Return button pressed","value":"1"},"facet_change":{"active":0,"action":"facet_change","category":"ASL","label":"{option_label} | {option_value}","value":"1"},"result_click":{"active":1,"action":"result_click","category":"ASL","label":"{result_title} | {result_url}","value":"1"}}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-prereq.js?ver=4751' id='wd-asl-ajaxsearchlite-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-core.js?ver=4751' id='wd-asl-ajaxsearchlite-core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-results-vertical.js?ver=4751' id='wd-asl-ajaxsearchlite-vertical-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-load.js?ver=4751' id='wd-asl-ajaxsearchlite-load-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/ajax-search-lite/js/min/plugin/optimized/asl-wrapper.js?ver=4751' id='wd-asl-ajaxsearchlite-wrapper-js'></script>
<script type='text/javascript' id='wpcf7cf-scripts-js-extra'>
/* <![CDATA[ */
var wpcf7cf_global_settings = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php"};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/cf7-conditional-fields/js/scripts.js?ver=2.1.5' id='wpcf7cf-scripts-js'></script>
<script   type='text/javascript' src='https://www.google.com/recaptcha/api.js?render=6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD&#038;ver=3.0' id='google-recaptcha-js'></script>
<script type='text/javascript' id='wpcf7-recaptcha-js-extra'>
/* <![CDATA[ */
var wpcf7_recaptcha = {"sitekey":"6LewXc8UAAAAADEYz8dYpHTk55uH2MjKqbyc1sXD","actions":{"homepage":"homepage","contactform":"contactform"}};
/* ]]> */
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/contact-form-7/modules/recaptcha/index.js?ver=5.5.6.1' id='wpcf7-recaptcha-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.core.js?ver=2.8.1' id='slb_core-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/client/js/prod/lib.view.js?ver=2.8.1' id='slb_view-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/baseline/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_baseline-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/themes/default/js/prod/client.js?ver=2.8.1' id='slb-asset-slb_default-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/item/js/prod/tag.item.js?ver=2.8.1' id='slb-asset-item-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/template-tags/ui/js/prod/tag.ui.js?ver=2.8.1' id='slb-asset-ui-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/simple-lightbox/content-handlers/image/js/prod/handler.image.js?ver=2.8.1' id='slb-asset-image-base-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/webpack-pro.runtime.min.js?ver=3.7.1' id='elementor-pro-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/webpack.runtime.min.js?ver=3.6.5' id='elementor-webpack-runtime-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend-modules.min.js?ver=3.6.5' id='elementor-frontend-modules-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0/wp-includes/js/dist/hooks.min.js' id='wp-hooks-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0/wp-includes/js/dist/i18n.min.js' id='wp-i18n-js'></script>
<script   type='text/javascript' id='wp-i18n-js-after'>
wp.i18n.setLocaleData( { 'text direction\u0004ltr': [ 'ltr' ] } );
</script>
<script   type='text/javascript' id='elementor-pro-frontend-js-before'>
var ElementorProFrontendConfig = {"ajaxurl":"https:\/\/www.intezer.com\/wp-admin\/admin-ajax.php","nonce":"a742b3493d","urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/assets\/","rest":"https:\/\/www.intezer.com\/wp-json\/"},"shareButtonsNetworks":{"facebook":{"title":"Facebook","has_counter":true},"twitter":{"title":"Twitter"},"linkedin":{"title":"LinkedIn","has_counter":true},"pinterest":{"title":"Pinterest","has_counter":true},"reddit":{"title":"Reddit","has_counter":true},"vk":{"title":"VK","has_counter":true},"odnoklassniki":{"title":"OK","has_counter":true},"tumblr":{"title":"Tumblr"},"digg":{"title":"Digg"},"skype":{"title":"Skype"},"stumbleupon":{"title":"StumbleUpon","has_counter":true},"mix":{"title":"Mix"},"telegram":{"title":"Telegram"},"pocket":{"title":"Pocket","has_counter":true},"xing":{"title":"XING","has_counter":true},"whatsapp":{"title":"WhatsApp"},"email":{"title":"Email"},"print":{"title":"Print"}},"facebook_sdk":{"lang":"en_US","app_id":""},"lottie":{"defaultAnimationUrl":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor-pro\/modules\/lottie\/assets\/animations\/default.json"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/frontend.min.js?ver=3.7.1' id='elementor-pro-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/lib/waypoints/waypoints.min.js?ver=4.0.2' id='elementor-waypoints-js'></script>
<script   type='text/javascript' src='https://c0.wp.com/c/6.0/wp-includes/js/jquery/ui/core.min.js' id='jquery-ui-core-js'></script>
<script   type='text/javascript' id='elementor-frontend-js-before'>
var elementorFrontendConfig = {"environmentMode":{"edit":false,"wpPreview":false,"isScriptDebug":false},"i18n":{"shareOnFacebook":"Share on Facebook","shareOnTwitter":"Share on Twitter","pinIt":"Pin it","download":"Download","downloadImage":"Download image","fullscreen":"Fullscreen","zoom":"Zoom","share":"Share","playVideo":"Play Video","previous":"Previous","next":"Next","close":"Close"},"is_rtl":false,"breakpoints":{"xs":0,"sm":480,"md":768,"lg":1140,"xl":1440,"xxl":1600},"responsive":{"breakpoints":{"mobile":{"label":"Mobile","value":767,"default_value":767,"direction":"max","is_enabled":true},"mobile_extra":{"label":"Mobile Extra","value":880,"default_value":880,"direction":"max","is_enabled":false},"tablet":{"label":"Tablet","value":1139,"default_value":1024,"direction":"max","is_enabled":true},"tablet_extra":{"label":"Tablet Extra","value":1200,"default_value":1200,"direction":"max","is_enabled":false},"laptop":{"label":"Laptop","value":1366,"default_value":1366,"direction":"max","is_enabled":false},"widescreen":{"label":"Widescreen","value":2400,"default_value":2400,"direction":"min","is_enabled":false}}},"version":"3.6.5","is_static":false,"experimentalFeatures":{"e_optimized_assets_loading":true,"e_optimized_css_loading":true,"e_font_icon_svg":true,"e_import_export":true,"e_hidden_wordpress_widgets":true,"theme_builder_v2":true,"landing-pages":true,"elements-color-picker":true,"favorite-widgets":true,"admin-top-bar":true,"page-transitions":true,"form-submissions":true,"e_scroll_snap":true},"urls":{"assets":"https:\/\/www.intezer.com\/wp-content\/plugins\/elementor\/assets\/"},"settings":{"page":[],"editorPreferences":[]},"kit":{"viewport_tablet":1139,"active_breakpoints":["viewport_mobile","viewport_tablet"],"lightbox_enable_fullscreen":"yes","lightbox_title_src":"title","lightbox_description_src":"description"},"post":{"id":25915,"title":"Symbiote%3A%20A%20New%2C%20Nearly-Impossible-to-Detect%20Linux%20Threat","excerpt":"Symbiote is a new Linux\u00ae malware we discovered that acts in a parasitic nature, infecting other running processes to inflict damage on machines.","featuredImage":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/symbiote-linux-threat-intezer-blog-graphic-1024x475px.png"}};
</script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor/assets/js/frontend.min.js?ver=3.6.5' id='elementor-frontend-js'></script>
<script   type='text/javascript' src='https://149520725.v2.pressablecdn.com/wp-content/plugins/elementor-pro/assets/js/elements-handlers.min.js?ver=3.7.1' id='pro-elements-handlers-js'></script>
<script type="text/javascript" id="slb_footer">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB && SLB.has_child('View.init') ) { SLB.View.init({"ui_autofit":true,"ui_animate":true,"slideshow_autostart":false,"slideshow_duration":"6","group_loop":true,"ui_overlay_opacity":"0.8","ui_title_default":false,"theme_default":"slb_default","ui_labels":{"loading":"Loading","close":"Close","nav_next":"Next","nav_prev":"Previous","slideshow_start":"Start slideshow","slideshow_stop":"Stop slideshow","group_status":""}}); }
if ( !!window.SLB && SLB.has_child('View.assets') ) { {$.extend(SLB.View.assets, {"1265113686":{"id":26000,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/symbiote-evasion-techniques.png","title":"symbiote-evasion-techniques","caption":"","description":""},"718799717":{"id":25930,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/2-logic-for-resolving-readdir.png","title":"2 logic for resolving readdir","caption":"","description":""},"1209184377":{"id":25931,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/3-symbiote-logic-to-get-root-privileges.png","title":"3 symbiote logic to get root privileges","caption":"","description":""},"2119339565":{"id":25932,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/4-symbiote-submitted-to-VT.png","title":"4 symbiote submitted to VT","caption":"Figure 4: Timeline showing when files were submitted to VirusTotal and when network infrastructure went active.","description":""},"471906826":{"id":25933,"type":"image","internal":true,"source":"https:\/\/www.intezer.com\/wp-content\/uploads\/2022\/06\/5-symbiote-intezer-analysis.png","title":"5 symbiote intezer analysis","caption":"Figure 5: Intezer analysis of a Symbiote sample showing only genes classified as Symbiote.","description":""}});} }
/* THM */
if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_baseline',{"name":"Baseline","parent":"","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/baseline\/css\/style.css","deps":[]}],"layout_raw":"<div class=\"slb_container\"><div class=\"slb_content\">{{item.content}}<div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><div class=\"slb_controls\"><span class=\"slb_close\">{{ui.close}}<\/span><span class=\"slb_slideshow\">{{ui.slideshow_control}}<\/span><\/div><div class=\"slb_loading\">{{ui.loading}}<\/div><\/div><div class=\"slb_details\"><div class=\"inner\"><div class=\"slb_data\"><div class=\"slb_data_content\"><span class=\"slb_data_title\">{{item.title}}<\/span><span class=\"slb_group_status\">{{ui.group_status}}<\/span><div class=\"slb_data_desc\">{{item.description}}<\/div><\/div><\/div><div class=\"slb_nav\"><span class=\"slb_prev\">{{ui.nav_prev}}<\/span><span class=\"slb_next\">{{ui.nav_next}}<\/span><\/div><\/div><\/div><\/div>"}); }if ( !!window.SLB && SLB.has_child('View.extend_theme') ) { SLB.View.extend_theme('slb_default',{"name":"Default (Light)","parent":"slb_baseline","styles":[{"handle":"base","uri":"https:\/\/www.intezer.com\/wp-content\/plugins\/simple-lightbox\/themes\/default\/css\/style.css","deps":[]}]}); }})})(jQuery);}/* ]]> */</script>
<script type="text/javascript" id="slb_context">/* <![CDATA[ */if ( !!window.jQuery ) {(function($){$(document).ready(function(){if ( !!window.SLB ) { {$.extend(SLB, {"context":["public","user_guest"]});} }})})(jQuery);}/* ]]> */</script>
		<script type="text/javascript">
			(function() {
			var t   = document.createElement( 'script' );
			t.type  = 'text/javascript';
			t.async = true;
			t.id    = 'gauges-tracker';
			t.setAttribute( 'data-site-id', '5fd5ade352684d3c97554910' );
			t.src = '//secure.gaug.es/track.js';
			var s = document.getElementsByTagName( 'script' )[0];
			s.parentNode.insertBefore( t, s );
			})();
		</script>
		<script src='https://stats.wp.com/e-202223.js' defer></script>
<script>
	_stq = window._stq || [];
	_stq.push([ 'view', {v:'ext',j:'1:11.1-a.1',blog:'186808338',post:'25915',tz:'-4',srv:'www.intezer.com',hp:'atomic',ac:'3',amp:'0'} ]);
	_stq.push([ 'clickTrackerInit', '186808338', '25915' ]);
</script>
<noscript><link rel="stylesheet" href="https://149520725.v2.pressablecdn.com/wp-content/plugins/jetpack/css/jetpack.css?ver=11.1-a.1" media="all" /></noscript>
<noscript><link   data-wpacu-apply-media-query='screen and (min-width: 1024px)' rel='stylesheet' id='elementor-post-16929-css'  href='https://149520725.v2.pressablecdn.com/wp-content/uploads/elementor/css/post-16929.css?ver=1653890902' media='all' /></noscript>
<div id="top-bar-spacer"><div id="top-bar"><span class="desktop-title">Integrate with EDRs like CrowdStrike and SentinelOne to automate alert triage & response tasks.</span><span class="mobile-title">Integrate with EDRs like CrowdStrike and SentinelOne</span>&nbsp;<a class="top-bar-link" href="https://www.intezer.com/blog/incident-response/alert-triage-edr-integrations/">Learn more</a></div></div>        
        <script type="text/javascript"> /* <![CDATA[ */ var google_conversion_id = 842858921; var google_custom_params = window.google_tag_params; var google_remarketing_only = true; /* ]]> */ </script> <script type="text/javascript" src="//www.googleadservices.com/pagead/conversion.js"> </script> <noscript> <div style="display:inline;"> <img height="1" width="1" style="border-style:none;" alt="" src="//googleads.g.doubleclick.net/pagead/viewthroughconversion/842858921/?guid=ON&amp;script=0"/> </div> </noscript>

<script type="text/javascript" id="hs-script-loader" async defer src="//js.hs-scripts.com/5492986.js"></script>

<script>
  window.addEventListener('load', function() {

    if (window.location.pathname == '/create-account/created') {
      gtag('event', 'conversion', {
        'send_to': 'AW-725468766/6LItCJ7G_awDEN6M99kC'
      });

    }



  });

</script>

    </body>
</html>
<!--
	generated 187 seconds ago
	generated in 1.022 seconds
	served from batcache in 0.002 seconds
	expires in 113 seconds
-->
